\ "т 


; N 
Intro icing 
SQL Server 2016 


Mission-Critical Applications, Deeper Insights, 
Hyperscale Cloud 

Preview Edition 

Stacia Varga, Denny Cherry, Joseph D'Antoni 


| 








\\ 1 / YA ТЕ Microsoft 
CIS 


Microsoft 
SOL Server 2016 


Mission-Critical Applications, Deeper Insights, 
Hyperscale Cloud 


Preview Edition 





Introducing Microsoft SQL 
Server 2016 


Mission-Critical Applications, Deeper 
Insights, Hyperscale Cloud, Preview 
Edition 


Stacia Varga, Denny Cherry, and Joseph 
D'Antoni 


ШЕ Microsoft 


PUBLISHED BY 

Microsoft Press 

A division of Microsoft Corporation 
One Microsoft Way 

Redmond, Washington 98052-6399 


Copyright O 2016 by Microsoft Corporation 


All rights reserved. No part of the contents of this book may 
be reproduced or transmitted in any form or by any means 
without the written permission of the publisher. 


ISBN: 978-1-5093-0193-5 
Printed and bound in the United States of America. 
First Printing 


Microsoft Press books are available through booksellers and 
distributors worldwide. If you need support related to this 
book, email Microsoft Press Support at 
mspinput@microsoft.com. Please tell us what you think of 
this book at http://aka.ms/tellpress. 


This book is provided “as-is” and expresses the author's 
views and opinions. The views, opinions and information 
expressed in this book, including URL and other Internet 
website references, may change without notice. 





Some examples depicted herein are provided for illustration 
only and are fictitious. No real association or connection is 
intended or should be inferred. 


Microsoft and the trademarks listed at 
http://www.microsoft.com on the “Trademarks” webpage are 
trademarks of the Microsoft group of companies. All other 
marks are property of their respective owners. 


Acguisitions and Developmental Editor: Devon 
Musgrave 
Project Editor: John Pierce 


Editorial Production: Flyingspress 
Cover: Twist Creative • Seattle 


Contents at a glance 


Chapter 2 Better security 


Chapter 4 Improved database engine 





Chapter 7 Better reporting 


Contents 


Chapter 2 Better security 
Always Encrypted 
Getting_started with Always Encrypted 
Creating_a table with encrypted values 
CREATE TABLE statement for encrypted columns 
шаш mi tables to Alw 
























ays Encrypted 

















cresting ei: 

Creating_security policies 

Using_block predicates 
Dynamic data masking 

















Dyramice gata 2 of anew table 





Maskir T 4 ns 
Using dynamic data masking in SOL Database 











Chapter 4 Improved database engine 

TempDB enhancements 
Configuring data files for TempDB 
Eliminating specific trace flags 

Ouery Store 
Enabling Ouery Store 
Understanding Ouery Store components 
Reviewing information in the guery store 
Using Force Plan 
Managing the guery store 

















Tuning with the query store 
Stretch Database 
Understanding Stretch Database architecture 
Security and Stretch Database 
Identifying tables for Stretch Database 
Configuring Stretch Database 
Monitoring Stretch Database 
Backup and recovery with Stretch Database 











Chapter 7 Better reporting 
Report content types 
Paginated report development enhancements 
tools 
Exploring new data visualizations 
Managing parameter layout in paginated reports 
Mobile report development 
KPI development 
Report access enhancements 
Accessing reports with modern browsers 
Viewing. reports on mobile devices 
Exporting 
Pinning reports to Power BI 
Managing subscriptions 
































Chapter 2. Better security 


SQL Server 2016 introduces three new principal security 
features—Always Encrypted, Row-Level Security, and 
dynamic data masking. While all these features are security 
related, each provides a different level of data protection 
within this latest version of the database platform. 
Throughout this chapter, we explore the uses of these 
features, how they work, and when they should be used to 
protect data in your SQL Server database. 


Always Encrypted 


Always Encrypted is a client-side encryption technology in 
which data is automatically encrypted not only when it is 
written but also when it is read by an approved application. 
Unlike Transparent Data Encryption, which encrypts the data 
on disk but allows the data to be read by any application 
that gueries the data, Always Encrypted reguires your client 
application to use an Always Encrypted-enabled driver to 
communicate with the database. By using this driver, the 
application securely transfers encrypted data to the 
database that can then be decrypted later only by an 
application that has access to the encryption key. Any other 
application guerying the data can also retrieve the 
encrypted values, but that application cannot use the data 
without the encryption key, thereby rendering the data 
useless. Because of this encryption architecture, the SOL 
Server instance never sees the unencrypted version of the 
data. 


Note 


At this time, the only Always Encrypted-enabled 
drivers are the .NET Framework Data Provider for 
SqlServer, which requires installation of .NET 
Framework version 4.6 on the client computer, 
and the JDBC 6.0 driver. In this chapter, we refer to 
both of these drivers as the ADO.NET driver for 
simplicity. 


Getting started with Always Encrypted 


Using Always Encrypted requires a small amount of 
preparation within the database storing the encrypted 
tables. While this can be done by using a wizard in SQL 
Server Management Studio, using T-SQL is a more 
repeatable process for production deployments, so this 
chapter will focus on the T-SQL configuration process. The 
preparation is a two-step process: 


1. Create the column master key definition 
2. Create the column encryption key 


Column master key definition 


The column master key is a certificate that is stored within a 
Windows certificate store, a third-party Hardware Security 
Module (HSM), or the Azure Key Vault. The application that is 
encrypting the data uses the column master key to protect 
the various column encryption keys that handle the 
encryption of the data within the columns of a database 
table. 


Note 


Using an HSM, also known as an Enterprise Key 
Manager (EKM), requires the use of SQL Server 
Enterprise Edition. In this chapter, we describe the 
use of a self-signed certificate that you store in the 
Microsoft Certificate Store of the Windows 
operating system. While this is approach is not the 
optimal configuration, it demonstrates the 
concepts of Always Encrypted and is applicable to 
any edition of SOL Server. 


You can create a column master key definition by using the 
graphical interface within SOL Server Management Studio 
(SSMS) or by using T-SOL. In SSMS, connect to the SOL 
Server 2016 database instance in which you want to use 
Always Encrypted to protect a database table. In Object 
Explorer, navigate first to the database, then to Security, 
and then expand the Always Encrypted Keys folder to 
display its two subfolders, as shown in Figure 2-1. 
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Figure 2-1: Always Encrypted Keys folder in SQL Server 
2016 Object Explorer. 


To create the column master key, right-click the Column 
Master Keys folder and select New Column Master Key. In the 
New Column Master Key dialog box, type a name for the 
column master key, specify whether to store the key in the 
current user's or local machine's certificate store or the 
Azure Key Vault, and then select a certificate in the list, as 
shown in Figure 2-2. If there are no certificates, or if you 
want to use a new self-signed certificate, click the Generate 
Certificate button, and then click OK. This step creates a 
self-signed certificate and loads it into the certificate store of 
the current user account running SSMS. 
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Figure 2-2: New Column Master Key dialog box. 


Note 


You should perform these steps on a trusted 
machine, but not on the computer hosting your 
SQL Server instance. That way, the data remains 
protected in SQL Server even if the host computer 
is compromised. 


After creating the certificate and configuring it as a column 
master key, you must then export and distribute it to all 
computers hosting clients requiring access to the data. If a 
client application is web-based, you must load the certificate 
on the web server. If it is an application installed on users’ 
computers, then you must deploy the certificate to each 
user's computer individually. 
You can find applicable instructions for exporting and 
importing certificates for your operating system at the 
following URLs: 

* Exporting certificates 

* Windows 7 and Windows Server 2008 R2: 
https://technet. microsoft. com/en- 
us/library/cc730988.aspx. 

* Windows 8 and Windows Server 2012: 
https://technet. microsoft. com/en- 
us/library/hh848628(v=wps.620).aspx. 

* Windows 8.1 and Windows Server 2012 R2: 
https://technet.microsoft.com/en- 
us/library/hh848628(v=wps.630).aspx. 

* Windows 10 and Windows Server 2016: 
https://technet.microsoft.com/en- 
us/library/hh848628(v=wps.640).aspx. 

* Importing certificates 

e Windows 7 and Windows Server 2008 R2: 

https://technet. microsoft. com/en- 











us/library/cc754489.aspx. 

• Windows 8 and Windows Server 2012: 
https://technet. microsoft. com/en- 
us/library/hh848630(v=wps.620).aspx. 

e Windows 8.1 and Windows Server 2012 R2: 
https://technet.microsoft.com/en- 
us/library/hh848630(v=wps.630).aspx. 

• Windows 10 and Windows Server 2016: 
https://technet.microsoft.com/en- 
us/library/hh848630(v=wps.640).aspx. 





Certificate stores and special service 
accounts 


When you import certificates into the certificate 
store on the computers with the application that 
encrypts and decrypts the data, you must import 
the certificates into either the machine certificate 
store or the certificate store of the domain account 
running the application. 


As an alternative, you can create a column master key by 
using T-SQL. Although you might find that creating the key 
is easier using SSMS, T-SOL scripts provide you with a 
repeatable process that you can check into a source control 
system and keep safe in case you need to rebuild the server. 
Furthermore, because best practices for SOL Server 2016 
discourage installation of SSMS on the server's console and 
Windows security best practices discourage certificate 
installation on unsecured systems such as users' desktops, 
the use of T-SQL scripts to create column master keys is 
recommended. 

To create a column master key, use the CREATE COLUMN 
MASTER KEY statement, as shown in Example 2-1. This 
statement reguires you to supply a name for the definition, 





such as MyKey, as shown in the example. You must also set 
the value for KEY STORE PROVIDER NAME as 

MSSOL CERTIFICATE STORE. Last, you specify the path for 
the certificate in the certificate store as the KEY PATH value. 
This value begins with CurrentUser when you use a 
certificate stored in the user account's certificate store or 
LocalMachine when using a certificate stored in the 
computer's certificate store. The rest of the value isa 
random-looking string of characters that represents the 
thumbprint of the selected certificate. This thumbprint is 
unique to each certificate. 


Example 2-1: Creating a column master key 


Click here to view code image 


USE [Samples] 
GO 
CREATE COLUMN MASTER KEY MyKey 
WITH 
( 
KEY STORE PROVIDER NAME = N'MSSOL CERTIFICATE STORE', 
KEY PATH = 
N'CurrentUser/My/DE3A770F25EBD6071305B77FB198D1AE434E6014' 
y 
GO 


Other key store providers? 


You may be asking yourself what key-store 
providers are available besides the Microsoft SQL 
Server certificate store. You can choose from 
several other key-store providers. One option is 
MSSQL CSP PROVIDER, which allows you to use 
any HSM supporting Microsoft CryptoAPI. Another 
option is MSSQL CNG STORE, which allows you to 
use any HSM supporting Cryptography API: Next 
Generation. A third option is to specify 

AZURE KEY VAULT as the key-store provider, 
which requires you to download and install the 
Azure Key Vault key store provider on the 
machines accessing the protected data, which will 
be protected as described at 
http://blogs.msdn.com/b/sglsecurity/archive/2015/ 
11/10/using-the-azure-key-vault-key-store- 
provider.aspx. Last, you can use a custom 
provider, as described at 
http://blogs.msdn.com/b/sglsecurity/archive”/2015 
/09/25/creating-an-ad-hoc-always-encrypted- 
provider-using-azure-keyvault.aspx. Although this 
article provides an example using Azure Key Vault, 
you can apply the principles to the development 
of a custom provider. 








Finding the certificate thumbprint 


You can easily locate the thumbprint of the 
certificate in the certificate store by using the 
Certificate snap-in within the Microsoft 
Management Console (MMC). In MMC, on the File 
menu, select Add/Remove Snap-In. In the Add Or 
Remove Snap-ins dialog box, select Certificates in 
the Available Snap-ins list on the left, and click 
the Add button to move your selection to the 
right. The Certificates Snap-in dialog box prompts 
you to select a certificate store. Choose either My 
User Account or Computer Account, depending on 
which certificate store you are using. Click the 
Finish button, and then click OK. Expand the 
Certificates folder to locate your certificate in the 
Personal/Certificates subfolder, double-click the 
certificate, select the Details tab, and scroll to the 
bottom, where you can see the thumbprint that 
you use as the value for the CREATE COLUMN 
MASTER KEY DEFINITION statement. 


Column encryption keys 


After creating a column master key, you are ready to create 
the encryption keys for specific columns. The SQL Server 
2016 ADO.NET driver uses column encryption keys to 
encrypt the data before sending it to the SQL Server and to 
decrypt the data after retrieving it from the SQL Server 2016 
instance. As with the column master key, you can create 
column encryption keys by using T-SQL or SSMS. While the 
column master keys are easier to create by using T-SQL, 
column encryption keys are easier to create by using SSMS. 
To create a column encryption key, use Object Explorer to 
connect to the database instance, navigate to the database, 
then to Security, and expand the Always Encrypted Keys 


folder. Right-click Column Encryption Keys, and then select 
New Column Encryption Key. In the New Column Encryption 
Key dialog box, type a name for the new encryption key, 
select a Column Master Key Definition in the drop-down list, 
as shown in Figure 2-3, and then click OK. You can now use 
the column encryption key in the definition of a new table. 
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Figure 2-3: New Column Encryption Key dialog box. 


To create a new column encryption key by using T-SQL, you 
use the CREATE COLUMN ENCRYPTION KEY statement as 
shown in Example 2-2. 


Example 2-2: CREATE COLUMN ENCRYPTION KEY 


Click here to view code image 


USE [Samples] 

GO 

CREATE COLUMN ENCRYPTION KEY [MyColumnKey] 
WITH VALUES 

( 

COLUMN MASTER KEY DEFINITION = [MyKey], 

ALGORITHM = 'RSA OAEP', 

ENCRYPTED VALUE = 
0x016E008000630075007200720065006E00740075007300650072002F006 
D0079002F006400650033006100370037003 
0006600320035006500620064003600300037003100330030003500620037 
003700660062003100390038006400310061 
006500340033003400650036003000310034004D74119935C902E59F57A96 
C3E6F770826D247135FFFA759B5B013DF4DA 
F7CFB760A5864DD8381B91924D067BE4F574B50DE7F0D53F278E1C003B5D1 
92865B808C1590224F4A4BB463255101C36D 
3089F46609B376D7B00FA9FOCEAF715398EECAB790AC6EC8BD18C17B3EB99 
2CAE08FEA6A2F5A2BDDA4F5A700744E45861 
F993A3C488127E5897B30892DD2734DD5D84F096882A393D5877C5A20E392 
888FE0357F46DB578AEB4C677CFFCE228127 
6C4D12F3E5AC3BCCCO9B78BB0E522D86F9B2CF989F14695B7CB95A478194E 
CBD175B5C7C1687B7589FD9145B2782CBOBB 
AB6F7F5BOAC7F8C256EBOD3D87ABAE4F73137FA4AFA387B791B54AC503B53 
271D 
jp 
GO 


The CREATE COLUMN ENCRYPTION KEY statement accepts 
three parameters. The first parameter is COLUMN MASTER 
KEY DEFINITION, which corresponds to the column master 
key definition that you created in a previous step. The 
second parameter defines the encryption algorithm used to 
encrypt the value of the encryption key. In SOL Server 2016, 
the only supported parameter value at this time is 

RAS OAEP. The third parameter is the value of the column 
encryption key after it has been encrypted by the column 
master key definition. 


Note 


When creating column encryption keys, you 
should not use an unencrypted value as the 
ENCRYPTED_VALUE parameter of the CREATE 
COLUMN ENCRYPTION KEY statement. Otherwise, 
you compromise the benefits of Always Encrypted 
by making data vulnerable to attack. 


The CREATE COLUMN ENCRYPTION KEY command accepts a 
minimum of one VALUE block, and a maximum of two VALUE 
blocks. Two VALUE blocks should be used when rotating 
encryption keys, either because a key has expired or 
because it has become compromised. Two keys should exist 
within the database long enough for all connected 
applications to download the new encryption keys from the 
database. Depending on the application design and client 
connectivity, this process may take minutes or months. 


Generating new encrypted values 


Given that the value is encrypted, how can new 
encrypted values be generated? The easiest way 
is to use SSMS to open the New Column 
Encryption Key dialog box shown in Figure 2-3, 
select the correct column master key definition, 
provide a name for the new encryption key, and 
then click the Script button at the top of the 
dialog box. This selection gives you the full 
CREATE COLUMN ENCRYPTION KEY statement, 
including a new random encrypted value. You can 
then add this new value as a second encryption 
key and thereby easily rotate the encryption keys. 


Creating a table with encrypted values 


After creating the column master key definition and column 
encryption keys, you can create the table to hold the 
encrypted values. Before you do this, you must decide what 
type of encryption to use, which columns to encrypt, and 
whether you can index these columns. With the Always 
Encrypted feature, you define column sizes normally, and 
SQL Server adjusts the storage size of the column based on 
the encryption settings. After you create your table, you 
might need to change your application to execute 
commands on this table using Always Encrypted. In this 
section, we describe the choices you have when creating 
your table and adapting your application. 


Encryption types 


Before creating a table to contain encrypted values, you 
must first make a choice about each column to be 
encrypted. First, will this column be used for looking up 
values or just returning those values? If the column is going 
to be used for lookups, the column must use a deterministic 
encryption type, which allows for eguality operations. 
However, there are limitations on searching for data that has 
been encrypted by using the Always Encrypted feature. SOL 
Server 2016 supports only eguality operations, which 
include egual to, not egual to, joins (which use eguality), 
and using the value in the GROUP BY clause. Any search 
using LIKE is not supported. Additionally, sorting data that is 
encrypted using Always Encrypted must be done at the 
application level, as SOL Server will sort based on the 
encrypted value rather than the decrypted value. 


If the column is not going to be used for locating records, 
then the column should use the randomized encryption 
type. This type of encryption is more secure, but it does not 
support searches, joins, or grouping operations. 


CREATE TABLE statement for encrypted 
columns 


When creating tables, you use the normal CREATE TABLE 
syntax with some additional parameters within the column 
definition, as shown in Example 2-3. Three parameters are 
used within the ENCRYPTED WITH syntax for the CREATE 
TABLE statement. The first of these is the ENCRYPTION_TYPE 
parameter, which accepts a value of RANDOMIZED or 
DETERMINISTIC. The second is the ALGORITHM parameter, 
which only accepts a value of 

AEAD AES 256 CBC HMAC SHA 256. The third parameter 
is the COLUMN ENCRYPTION KEY, which is the encryption 
key you use to encrypt the value. 


Example 2-3: Creating a table using Always 
Encrypted 


Click here to view code image 


CREATE TABLE [dbo].[Customers] ( 
[CustomerId] [int] IDENTITY(1,1), 
[TaxId] [varchar](11) COLLATE Latinl General BIN2 
ENCRYPTED WITH (ENCRYPTION TYPE = DETERMINISTIC, 
ALGORITHM = 'AEAD AES 256 CBC HMAC SHA 256', 
COLUMN ENCRYPTION KEY = MyColumnKey) NOT NULL, 
[FirstName] [nvarchar](50) NULL, 
[LastName] [nvarchar](50) NULL, 
[MiddleName] [nvarchar](50) NULL, 
[Address1] [nvarchar](50) NULL, 
[Address2] [nvarchar](50) NULL, 
[Address3] [nvarchar](50) NULL, 
[City] [nvarchar] (50) NULL, 
[PostalCode] [nvarchar](10) NULL, 
[State] [char](2) NULL, 
[BirthDate] [date] 
ENCRYPTED WITH (ENCRYPTION TYPE = RANDOMIZED, 
ALGORITHM = 'AEAD AES 256 CBC HMAC SHA 256', 
COLUMN ENCRYPTION KEY = MyColumnKey) NOT NULL 
PRIMARY KEY CLUSTERED ([CustomerId] ASC) ON [PRIMARY] ); 
GO 








The sample code shown in Example 2-3 creates two 
encrypted columns. The first encrypted column 15 the Taxld 
column, which is encrypted as a deterministic value because 
our application allows a search of customers based on their 
government-issued tax identification number. The second 
encrypted column is the BirthDate column, which is a 
randomized column because our application does not 
reguire the ability to search, join, or group by this column. 


Indexing and Always Encrypted 


Columns containing encrypted data can be used as key 
columns within indexes— provided that those columns are 
encrypted by using the DETERMINISTIC encryption type. 
Columns encrypted by using the RANDOMIZED encryption 
type return an error message when you try to create an 
index on those columns. Columns encrypted by using either 
encryption type can be used as INCLUDE columns within 
nonclustered indexes. 


Because encrypted values can be indexes, no additional 
performance-tuning measures are reguired for values 
encrypted with Always Encrypted beyond the indexing and 
tuning that you normally perform. Additional network 
bandwidth and greater I/O are the only side effects that 
result from the increased size of the values being returned. 


Application changes 


The beauty of the Always Encrypted feature of SQL Server 
2016 is that applications already using stored procedures, 
ORMs, or parameterized T-SQL commands should require no 
application changes to use Always Encrypted, unless 
nonequality operations are currently being used. 
Applications that build SQL statements as dynamic SQL 
within the application and execute those commands against 
the database directly need to be modified to use 
parameterization of their queries, a recommended security 
best practice for all applications, before they can take 
advantage of the Always Encrypted feature. 


Another change required to make Always Encrypted work is 
the addition of a connection string attribute to the 
connection string of the application connecting to the 
database: 


Click here to view code image 


Column Encryption Setting=enabled 


With this setting added to the connection string, the 
ADO.NET driver asks the SQL Server if the executing 
command includes any encrypted columns, and if so, which 
columns are encrypted. For high-load applications, the use 
of this setting may not be the best practice, especially if a 
large percentage of executing commands do not include 
encrypted values. Consequently, the .NET Framework 
provides a new method on the SqlConnection object called 
SglCommandColumnEncryptionSetting, which has three 
possible values as shown in the following table. 

Method value Effective change 


Disabled There are no Always Encrypted columns or parameters to use for the queries that 
are executed by using this connection object. 





Enabled There are Always Encrypted columns and/or parameters in use for the queries that 
are executed by using this connection object. 


ResultSet There are no Always Encrypted parameters. However, executing queries using this 
connection object return columns encrypted by using Always Encrypted. 








Note 


Be aware that the use of this method can 
potentially require a significant amount of change 
to your application code. An alternative approach 
is to refactor your application to use different 
connections. 


For the best performance of SQL Server, it is wise to request 
only the metadata about Always Encrypted for those queries 
that use Always Encrypted. This means that in applications 
for which a large percentage of queries use Always 
Encrypted, the connection string should be enabled and the 
specific queries within the application should specify 
SglCommandColumnEncryptionSetting as Disabled. For 
applications for which most queries are not using Always 
Encrypted values, the connection string should not be 
enabled, and SglCommandColumnEncryptionSetting should 
be set for Enabled or ResultSet as needed for those queries 
that are using Always Encrypted columns. In most cases, 
applications are able to simply enable the connection string 
attribute, and application performance will remain 
unchanged while using the encrypted data. 


Note 


While enabling the Always Encrypted setting has 
been designed to be an easy-to-implement 
solution for application data encryption, it is a 
very major change to application functionality. 
Like all major changes to application functionality, 
there should be rigorous testing of this feature in a 
testing environment, including load testing, 
before making this change in a production 
environment. 


Migrating existing tables to Always Encrypted 


In a production environment, there is no direct path to 
migrate an unencrypted table to a table that is protected by 
Always Encrypted. A multiphased approach to data 
migration 15 required to move data from the current table 
into the new table. The basic approach to move data from an 
existing table into an Always Encrypted table includes the 
following steps: 
1. Build a new staging table. 
2. Write a .NET application using ADO.NET to process the 
encryption of both existing and updated rows. 
3. Run the .NET application built in the prior step. 
4. Drop the existing table and rename the new table to 
use the old table name. 
5. Change the application's connection string to include 
Column Encryption Setting=enabled. 


Note 
For nonproduction environments, you can use the 
Always Encrypted wizard or the Import/Export 
wizard in SSMS, which follow a process similar to 
the one we outline in this section. 


Step 1: Build a new staging table 


Because Always Encrypted does not support the conversion 
of an existing table into an Always Encrypted table, you 
must build a new table. The new table should have the same 
schema as the existing table. When you build the new table, 
the only changes you need to make are enabling the 
columns to be encrypted and specifying the collation as 
described in Example 2-3. 

A large application is likely to require a large amount of time 
to encrypt and move the data, and it might not complete 








this process during a single maintenance window. In that 
case, it is helpful to make two additional schema changes. 
The first change is to add a column on the production table 
to track when a row is updated (if the table does not already 
have such a column). The second change is to add a trigger 
to the production table that fires on delete and removes any 
rows from the new table when the row is deleted from the 
production table. To reduce downtime when you move the 
table with the encrypted data into production, you should 
create any indexes existing on the production table on the 
new table before loading it with data. 


Steps 2 and 3: Write a .NET application to encrypt 
the data and move it to the new table 


Because of the design of Always Encrypted, data is 
encrypted only by applications using the ADO.NET driver 
with parameterized queries. This design prevents you from 
using SSMS to move data into the new table. Similarly, you 
cannot use an application to perform a simple query such as 
this: 


Click here to view code image 


INSERT INTO NewTable SELECT * FROM OldTable; 


The rows must be brought from the database into a .NET 
application and then written back to the database using a 
parameterized query, one row at a time, for the data to be 
properly inserted as encrypted values in the database. 


For small applications, this process can be completed 
quickly, within a single maintenance window. For larger 
applications, this processes may take several nights, which 
requires the application to be aware of data changes during 
the business day. After the application has processed the 
initial push of data from the source table to the new table, 
the application must run periodically to move over any 


changed rows to the new table until the cutover has been 
completed. 


Step 4: Rename the table 


Once all the data has been migrated, the existing table can 
be dropped or renamed so that її can be saved until testing 
has been completed. Then the new table can be renamed so 
that it now has the production table's name. Any indexes 
existing on the production table that do not exist on the new 
table should be created at this time, as well as any foreign 
keys that exist on the old table. Once testing is completed, if 
the old table is not deleted, any foreign keys using that 
table as a parent should be removed to prevent issues when 
rows are deleted. 


Step 5: Update the application's connection string 


Once the tables are changed, the application needs to know 
to use Always Encrypted. To do this, change the 
application's connection string to use the new Column 
Encryption Setting=enabled attribute or release a new 
version of the application that uses the 
SglCommandColumnEncryptionSetting method on the 
connection object within the .NET code. 


Using Always Encrypted in Microsoft Azure 
SOL Database 


Always Encrypted is fully supported by the SOL 
Database platform. You configure Always 
Encrypted for a SOL Database just as you do for an 
on-premises SOL Server 2016 deployment by 
using T-SOL commands. At the time of this writing, 
there are no enhancements in the Microsoft Azure 
portal for configuring Always Encrypted in SOL 
Database. 


Row-Level Security 


Row-Level Security (RLS) allows you to configure tables such 
that users see only the rows within the table to which you 
grant them access. This feature limits which rows are 
returned to the user, regardless of which application they 
are using, by automatically applying a predicate to the 
query. You can use a filter predicate to silently filter the rows 
that are accessible by the user when using INSERT, UPDATE, 
or DELETE statements. In addition, you can use the following 
block predicates to block the user from writing data: AFTER 
INSERT, AFTER UPDATE, BEFORE UPDATE and BEFORE 
DELETE. These block predicates return an error to the 
application indicating that the user is attempting to modify 
rows to which the user does not have access. 


You implement RLS by creating an inline table function that 
identifies the rows accessible to users. The function you 
create can be as simple or complex as you need. Then you 
create a security policy to bind the inline table function to 
one or more tables. 


Note 


Although you can create a complex RLS inline 
table function, bear in mind that complex queries 
are typically slow to execute. Besides ensuring 
that your function properly limits access to 
specific rows in a table, you should take care that 
it does so with minimal impact to application 
performance. 


RLS is designed to simplify your application code by 
centralizing access logic within the database. It should be 
noted that, as with any RLS solution and workarounds, it is 
possible for users with the ability to execute arbitrary T-SQL 
commands to infer the existence of data that should be 


filtered, via side-channel attacks. Therefore, RLS is intended 
for scenarios where the queries that users can execute are 
controlled, such as through a middle-tier application. 


Be aware that RLS impacts all users of a database, including 
members of the db_owner fixed database role. Members of 
this role have the ability to remove the RLS configuration 
from tables in the database. However, by doing so, all other 
users again have access to all rows in the table. 


Note 


You can use branching logic in the inline table 
function for RLS when you need to allow members 
of the db owner fixed database role to access all 
rows in the table. 


Creating inline table functions 


The method by which users connect to a database 
determines how you need to write the inline table function. 
In an application that connects users to the database with 
their individual Windows or SQL login, the function must 
directly match each user's login to a value within the table. 
On the other hand, in an application that uses a single SOL 
login for authentication, you must modify the application to 
set the session context to use a database value that sets the 
row-level filtering as we explain in more detail later in this 
section. Either way, when you create a row-level filtering 
inline table function, you must enable SCHEMABINDING and 
the function must return a column that contains a value of 1 
(or any other valid value) when the user can view the row. 


Note 


You can implement RLS on existing tables without 
rebuilding the tables because the inline table 
function that handles the filtering is a separate 
object in the database, which you then bind to the 
table after you create the function. Conseguently, 
you can guickly and easily implement RLS in 
existing applications without requiring significant 
downtime. 


Application using one login per user 


When your application logs into the database engine by 
using each user's Windows or SQL login, your inline table 
function needs only to compare the user's login against a 
table in the database to determine whether the user has 
access to the requested rows. As an example, let's say you 
have an Orders application for which you want to use RLS to 
restrict access to order information to the person entering 
the order. First, your application requires an Order table, 
such as the one shown in Example 2-4. When your 
application writes a row into this table, it must store the 
user's login in the SalesRep column. 


Example 2-4: Creating an Orders table 
CREATE TABLE Orders 
( 


OrderId int, 
SalesRep sysname 


Your next step is to create an inline table function like the 
one shown in Example 2-5. In this example, when a user 
queries the Orders table, the value of the SalesRep column 
passes into the OSalesRep parameter of the fn Orders 


function. Then, row by row, the function compares the 
@SalesRep parameter value to the value returned by the 
USER_NAME() system function and returns a table 
containing only the rows for which it finds a match between 
the two values. 


Example 2-5: Creating an inline table function to 
restrict access by user login 


Click here to view code image 


CREATE FUNCTION dbo.fn Orders(@SalesRep AS sysname) 
RETURNS TABLE 

WITH SCHEMABINDING 

AS 
RETURN 

SELECT 1 AS fn Orders result 

WHERE @SalesRep = USER NAME(); 

GO 


Note 


The data type of the parameter in your inline table 
function must match the corresponding column 
data type in the table that you plan to secure with 
RLS, although it is not necessary for the parameter 
name to match the column name. However, 
managing your code is easier if you keep the 
names consistent. 


Now let's consider what happens if your database contains 
related information in another table, such as the 
OrderDetails table shown in Example 2-6. 


Example 2-6: Creating an OrderDetails table 


CREATE TABLE OrderDetails 
( 
Orderld int, 
ProductId int, 
Oty int, 
Price numeric(8,2) 
ys 
GO 


To apply the same security policy to this related table, you 
must implement additional filtering by creating another 
inline table-valued function, such as the one shown in 
Example 2-7. Notice that you continue to use the 

USER NAME() system function to secure the table by a user- 
specific login. However, this time the inline table-valued 
function's parameter is @Orderld, which is used in 
conjunction with the SalesRep column. 


Example 2-7: Creating an inline table function to 
restrict access by user login in a related table 


Click here to view code image 


CREATE FUNCTION dbo.fn Огдегре+аі15 (@0гдегІа AS int) 
RETURNS TABLE 
WITH SCHEMABINDING 
AS 
RETURN 
SELECT 1 AS fn Orders result 
FROM Orders 
WHERE OrderId = @0гаегІа 
AND SalesRep = USER NAME(); 
GO 


Application using one login for all users 


When your application uses a single login for all users of the 
application, also known as an application account, you use 
similar logic as you do when the application passes user 
logins to the database. Let's continue with a similar example 
as the one in the previous section, but let's add some 
additional columns to the Orders table, as shown in Example 
2-8. In this version of the Orders table, the SalesRep column 
has an /nt data type instead of the sysname data type in the 
earlier example. 


Example 2-8: Creating a variation of the Orders 
table 


CREATE TABLE Orders 
( 


OrderId int, 
SalesRep int, 
ProductId int, 

Qty int, 

Price numeric(8,2) 
m 
GO 


Additionally, the inline table function changes to reflect the 
single login, as shown in Example 2-9. Notice the 
parameter's data type is now /nt instead of sysname to 
match the column in the table shown in Example 2-8. In 
addition, the predicate in the function now uses the 
SESSION CONTEXT system function and outputs the result 
as an /nt data type to match the input parameter's data 
type. 














Example 2-9: Creating an inline table function 
for an application using a single login 


Click here to view code image 


CREATE FUNCTION dbo.fn Orders(@SalesRep AS int) 
RETURNS TABLE 
WITH SCHEMABINDING 


AS 

RETURN 

SELECT 1 AS fn Orders result 

WHERE @SalesRep = CONVERT(SESSION CONTEXT(N'UserId') AS 
int); 
GO 


You must also modify your application code to use the 

sp set session context system stored procedure, which sets 
the value returned by the SESSION CONTEXT system 
function, as shown in Example 2-10. This system stored 
procedure supports two parameters—the key name of the 
value to add and the value to store for this key. In this 
example, the key name is UserID and its value is set to the 
Userld of the application user, which the application passes 
into the stored procedure by using the @Userld input 
parameter. Applications can call sp set session contextin 
line within the stored procedures or directly at application 
startup when the connection is created. 


Example 2-10: Using the sp set session context 
system stored procedure 


Click here to view code image 


CREATE PROCEDURE GetOrder 
@0гаегІа int, 
@UserId int 
AS 
EXEC sp set session context @key=N'UserId', (Qvalue-QUserId; 
SELECT = 
FROM Orders 
WHERE OrderId = (QOrderId; 
GO 


Creating security policies 


After creating inline table-valued functions, you next bind 
them to the table that you want to secure. To do this, use the 
CREATE SECURITY POLICY command, as shown in Example 
2-11. In the security policy, you can define a filter predicate 
by specifying the inline table-valued function name, the 
column name to pass to the function, and the table to which 
the policy applies. 


Example 2-11: Creating a security policy 


Click here to view code image 


CREATE SECURITY POLICY dbo.OrderPolicy 

ADD FILTER PREDICATE dbo.fn Orders(SalesRep) ON 
dbo.Orders 

WITH (STATE=ON); 


You can specify multiple filter predicates in the security 
policy when you want to filter rows in different tables, as 
shown in Example 2-12. 





Example 2-12: Creating one security policy for 
multiple tables 


Click here to view code image 


CREATE SECURITY POLICY dbo.OrderPolicy 

ADD FILTER PREDICATE dbo.fn Orders(SalesRep) ON 
dbo.Orders, 

ADD FILTER PREDICATE dbo.fn OrderHistory(OrderId) ON 
dbo.OrderHistory 

WITH (STATE = ON); 


Using block predicates 


When you use the filter predicate as shown in the examples 
in the preceding section, the security policy affects “get” 
operations only. Users are still able to insert rows that they 
cannot subseguently guery. They can also update rows they 
can currently access and even change the rows to store 
values that block further access. You must decide whether 
your application should allow this behavior or should 
prevent users from inserting rows to which they do not have 
access. To do this, use a block predicate in addition to a filter 
predicate. 


As shown in Example 2-13, you can use both filter and block 
predicates in a security policy. In this example, the security 
policy allows users to guery for rows using the SELECT 
statement and returns only rows to which the user has 
access. A user can insert new rows into the table as long as 
the SalesRep value matches the user's login. Otherwise, the 
insert fails and returns an error to the user. Similarly, an 
update to the table succeeds as long as the user doesn't 
attempt to change the value of the SalesRep column. In that 
case, the update fails and returns an error to the user. 





Example 2-13: Using block and filter predicates 
in a single security policy 


Click here to view code image 


CREATE SECURITY POLICY dbo.OrderPolicy 

ADD FILTER PREDICATE dbo.fn Orders(SalesRep) ON 
dbo.Orders, 

ADD BLOCK PREDICATE dbo.fn Orders(SalesRep) ON dbo.Orders 
AFTER INSERT, 

ADD BLOCK PREDICATE dbo.fn Orders(SalesRep) ON dbo.Orders 
AFTER UPDATE 

WITH (STATE = ON); 


Note 


You can use a filter predicate to prevent users from 
updating or deleting records they cannot read, but 
the filter is silent. By contrast, the block predicate 
always returns an error when performing these 
operations. 


Using RLS in SOL Database 


You can use RIS in SOL database by using the 
same T-SQL commands described in this chapter. 
At the time of this writing, you cannot use the 
Azure portal to implement RLS. 


Dynamic data masking 


When you have a database that contains sensitive data, you 
can use dynamic data masking to obfuscate a portion of the 
data unless you specifically authorize a user to view the 
unmasked data. To mask data, you can use one of the 
following four masking functions to control how users see 
the data returned by a guery: 


* Default Use this function to fully mask values by 
returning a value of XXXX (or fewer Xs if a column 
length is less than 4 characters) for string data types, O 
for numeric and binary data types, and 01.01.2000 
00:00:00.0000000 for date and time data types. 


e Email Use this function to partially mask email 
addresses like this: aXXXGXXXX.com. This pattern masks 
not only the email address but also the length of the 
email address. 


* Partial Use this function to partially mask values by 
using a custom definition requiring three parameters as 
described in the following table: 

Parameter Description 


Prefix Number of starting characters to display, starting from the first character 
in the value. 





Padding Value to be displayed between the prefix and suffix characters. 





Suffix Number of ending characters to display, starting from the last character in 
the value. 


* Random Use this function to fully mask numeric 
values by using a random value between a lower and 
upper boundary that you specify. 





Random function may display unmasked data 


The Random() data-masking function may on 
occasion display the actual value that is stored in 
the table. This behavior is the result of using a 
random value that could match the value to mask 
If it is within the specified range. You should 
consider whether the business rules of your 
application allow for this behavior before using 
this masking function. Whenever possible, use a 
range of values outside the possible range of 
values to mask to ensure that there is no 
possibility of an accidental data leak. While it is 
possible that the random value will return the 
actual value, there is no way of knowing that the 
displayed random value is in fact the actual value 
without knowing the actual value. 


Dynamic data masking of a new table 


To configure dynamic data masking for a new table, use the 
CREATE TABLE statement with the MASKED WITH argument, 
as shown in Example 2-14. In this example, the default() 
function masks the Taxld column for complete masking, and 
the partial() function masks the FirstName column by 
displaying its first three characters and its final character 
and replacing the remaining characters with xyz. 


Example 2-14: Creating a table with two masked 
columns 


Click here to view code image 


CREATE TABLE [dbo].[Customer]( 
[CustomerId] [int] IDENTITY(1,1) NOT NULL, 
[TaxId] [varchar](11) MASKED WITH (FUNCTION = 


'default()'), 

[FirstName] [nvarchar](50) MASKED WITH (FUNCTION = 
"Dartrat(3, “xyz, 1)') NUBE; 

[LastName] [nvarchar](50) NULL, 
PRIMARY KEY CLUSTERED 


( 

[CustomerId] ASC) 
) ON [PRIMARY]; 
GO 


Dynamic data masking of an existing table 


Because dynamic data masking changes only the 
presentation of data returned by a query, there is no change 
to the underlying table structure. That means you can easily 
add dynamic data masking to a column in an existing table 
without rebuilding the table. To this, use the ALTER TABLE 
statement with the ALTER COLUMN and ADD MASKED 
arguments, as shown in Example 2-15. 


Example 2-15: Adding dynamic data masking to 
an existing table 


Click here to view code image 


ALTER TABLE [dbo]. [Customers] 
ALTER COLUMN [LastName] ADD MASKED WITH (FUNCTION = 
'default()'); 


Likewise, you can remove dynamic data masking quickly 
and easily without rebuilding a table or moving data 


because only metadata changes rather than the schema. 
You remove dynamic data masking from a column by using 
the ALTER TABLE statement with the ALTER COLUMN and 
DROP MASKED arguments, as shown in Example 2-16. 





Example 2-16: Removing dynamic data masking 
from a table 


Click here to view code image 


ALTER TABLE [dbo]. [Customers] 
ALTER COLUMN [LastName] DROP MASKED; 


Understanding dynamic data masking and 
permissions 


When you use dynamic data masking, the permissions that 
you assign to users affect whether users see plain text 
values or masked values. Specifically, members of the 
db_owner fixed database role always See plain text values, 
whereas users who are not members of this role see masked 
data by default. 

If you need to grant a user permission to see plain text data 
in a table, you must grant the new UNMASK permission at 
the database level. To do this, use the GRANT UNMASK 
statement in the database containing the masked values, as 
shown in Example 2-17. 





Example 2-17: Granting the UNMASK permission 


GRANT UNMASK TO MyUser; 


Note 
It is not possible to grant table-level access to 
masked data. You can grant this privilege only at 
the database level. Consequently, you can mask 
either all masked data within the database for a 
user or none of the data. 


To remove this permission, you use the REVOKE statement 
as shown in Example 2-18. 





Example 2-18: Revoking the UNMASK permission 


REVOKE UNMASK TO MyUser; 


Figure 2-4 shows examples of query results when you apply 
dynamic data masking to a table. The first query shows 
default and email masking. The second result set shows the 
same queries executed after giving the user permissions to 
view masked data. 





/*Query the table with masking enabled*/ 
execute as user-'MyUser' 


=|select * 
from customer 


revert 
/*Allow the user to see unmasked values*/ 


GRANT UNMASK TO MyUser; 


/*Query the table with masking disabled*/ 
execute as user-'MyUser' 


= select * 
from customer 


revert 


REVOKE UNMASK TO MyUser;| 


% v 
tesults ja Messages 
Customerld Тах!а FirstName LastName MiddleName Address1 Address2 Address3 City PostalCode State BirthDate Email 


| 1 ‚хох хох test NULL NULL NULL NULL NULL NULL NULL NULL DXXX@XXXX.com 
2 хох хох test NULL NULL NULL NULL NULL NULL NULL NULL PAXOXXXX.com 
— Customerld Taxld FirstName LastName MiddleName Addressi Address2 Address3 City PostalCode State BirthDate Email 
J 11-11-1111 Bil test NULL NULL NULL NULL NULL NULL NULL NULL bgates@contoso.co 
2 111-11-1112 Jonathon test NULL NULL NULL NULL NULL NULL NULL NULL jsmith@contoso.net 
Figure 2-4: Query results for masked and unmasked 
values. 


Data-masking permissions and configuration survive when 
you copy data from one object to another. For example, if 
you copy data from a user table to a temporary table, the 
data remains masked in the temporary table. 


Masking encrypted values 


Dynamic data masking does not work with encrypted values 
if you encrypt data in the application tier or by using the 
Always Encrypted feature. If you encrypt data before storing 
it in the SQL Server database engine, the engine cannot 
mask a value that it cannot decrypt. In this case, because 
data is already encrypted, there is no benefit or extra 
protection from applying dynamic data masking. 


Using dynamic data masking in SQL Database 


Dynamic data masking is also available for use in SQL 
Database. You can configure it by using T-SQL or by using 
the Microsoft Azure portal. In the Azure portal, navigate to 
the list of SQL Databases within SQL DB, and then select the 
database to view its properties. Next, in the Settings panel, 
select Dynamic Data Masking, as shown in Figure 2-5. In the 
Dynamic Data Masking window, a list of masking rules is 
displayed in addition to a list of columns for which data 
masking is recommended. You can enable data masking on 
those columns by clicking the Add Mask button to the right 
of the column name. 


Settings Dynamic data masking 


ExamTest ExamTest 


= x nr 


Save Discard Add Mask 











Masking Rules 


MASK NAME MASK FUNCTION 
И Properties > dbo Customers LastName Default value (0, xxxx, 01-01-1900) 


с Pricing tier (scale DTUs) А SQL users excluded from masking (administrators are always excluded) 








MONITORING 


= Alert rules > 
Recommended fields to mask 


& Database size 
SCHEMA TABLE COLUMN 











Events ? 

| dbo Customers Taxld 
SECURITY | dbo Customers FirstName 
E Auditing & Threat detection > dbo Customers Address1 
© Dynamic data masking > dbo Customers Address2 





O Transparent data encryption > dbo Customers Address3 


Figure 2-5: Configuring dynamic data masking for a SQL 
Database in the Azure portal. 








After specifying the mask function to apply to selected 
columns, click the Save button at the top of the window to 
save the configuration changes to your SOL Database. After 


saving these changes, users сап no longer see the 
unmasked data in the SQL Database tables unless they have 
the unmask privilege within the database. 


Chapter 4. Improved database engine 


In past releases of SQL Server, Microsoft has targeted 
specific areas for improvement. In SQL Server 2005, the 
storage engine was new. In SQL Server 2008, the emphasis 
was on server consolidation. Now, їп SQL Server 2016, you 
can find enhanced functionality across the entire database 
engine. With Microsoft now managing more than one million 
SOL Server databases through its Database as a Service 
(DBaaS) offering —Microsoft Azure SQL Database—it is able 
to respond more quickly to opportunities to enhance the 
product and validate those enhancements comprehensively 
before adding features to the on-premises version of SQL 
Server. SQL Server 2016 is a beneficiary of this new 
development paradigm and includes many features that are 
already available їп SQL Database. In this chapter, we 
explore a few of the key new features, which enable you to 
better manage growing data volumes and changing data 
systems, manage query performance, and reduce barriers to 
entry for hybrid cloud architectures. 


TempDB enhancements 


TempDB is one of the components for which performance is 
critical in SOL Server because the database engine uses it 
for temporary tables, guery memory spills, index rebuilds, 
Service Broker, and a multitude of other internal functions. 
TempDB file behavior has been enhanced and automated in 
SOL Server 2016 to eliminate many performance problems 
related to the basic configuration of the server. These 
changes allow administrators to focus their efforts on more 
pressing performance and data issues in their environments. 


Configuring data files for TempDB 


In earlier versions of SQL Server, the default configuration 
uses one data file for TempDB. This limitation sometimes 
results in page-latch contention, which has frequently been 
misdiagnosed by administrators as a storage input/output 
(1/0) problem for SQL Server. However, the pages for 
TempDB are typically in memory and therefore not 
contributing to I/O contention issues. Instead, three special 
types of pages are the cause of the page-latch contention 
issue: Global Allocation Map (GAM), Shared Global 
Allocation Map (SGAM), and Page Free Space (PFS). Each 
database file can contain many of these page types, which 
are responsible for identifying where to write incoming data 
in a physical data file. Whenever a process in SOL Server 
needs to use any of these files, a latch is taken. A latch is 
similar to a lock but is more lightweight. Latches are 
designed to be quickly turned on and just as quickly turned 
off when not needed. The problem with TempDB is that each 
data file has only one GAM, SGAM, and PFS page, and a lot 
of processes are trying to access those pages, as shown in 
Figure 4-1. Subseguent reguests begin to gueue, and wait 
times for processes at the end of the gueue increase from 
milliseconds to seconds. 








User User 
Process Process 

User User User 
Process Process Process 


Oueued Processes 


SGAM PFS 


TempDB Data File 


Figure 4-1: Contention in TempDB. 


An easy way to remedy TempDB page-latch contention in 
SOL Server is to add more data files. In turn, SOL Server 
creates more of the three special types of pages and gives 
SOL Server more throughput to TempDB. Importantly, the 
files should all be the same size. SOL Server uses a 
proportional fill algorithm that tries to fill the largest files 
first, leading to hotspots and more latch contention. 
However, because the default setting creates only one file, 
many database administrators have not been aware of the 


solution. Even after learning about the need to create 
multiple files, there was often confusion about the correct 
number of files to configure, especially when factoring in 
virtual machines, hyperthreading, and cores versus CPU 
sockets. 


In 2011, Microsoft released the following guidance for 
TempDB configuration: 


As a general rule, if the number of logical processors is less 
than or equal to 8, use the same number of data files as 
logical processors. If the number of logical processors is 
greater than 8, use 8 data files and then if contention 
continues, increase the number of data files by multiples of 
4 (up to the number of logical processors) until the 
contention is reduced to acceptable levels or make changes 
to the workload/code. 


Note 


For more detail, see “Recommendations to reduce 
allocation contention in SQL Server tempdb 
database,” at https://support. microsoft. com/en- 
us/kb/2154845. 


Accordingly, in SOL Server 2016, this recommendation is 
built into the product setup. When you install SOL Server, 
the default configuration for TempDB now adapts to your 
environment, as shown in Figure 4-2. The setup wizard no 
longer creates a single file by default; instead, it assigns a 
default number of files based on the number of logical 
processors that it detects on the server, up to a maximum of 
8. You can adjust the size of the files and the autogrowth 
rate if you like. Always monitor the growth of these files 
carefully, as performance is affected by file growth even 
when instant file initialization is enabled. 


Database Engine Configuration 


Specify Database Engine authentication security mode, administrators, data directories and TempDB settings. 


Global Rules | Server Configuration | Data Directories | B | FILESTREAM 
Product Updates 


iles: ES 
Install Setup Files TempDB data files: tempdb.mdf, tempdb_mssql_*.ndf 


Install Rules Number of files: 2 





Installation Type 8 


Product Key 
License Terms Autogrowth (MB): 94 Total autogrowth (MB): 


Initial size (MB): Total initial size (MB): 
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Figure 4-2: Configuring TempDB in SQL Server 2016. 





Note 


SQL Server defaults to a conservative setting of 8 
megabytes (MB) for Initial Size and 64 MB for 
Autogrowth. A best practice is to start with an 
initial file size of 4,092 MB, with an autogrowth 
setting of 512 MB, as the initial file size is still 
small by most standards. Many DBAs dedicate a 
standard-size file system (typically 100-200 GB) 
to TempDB and allocate 90 percent of it to the 
data files. This sizing can reduce contention and 
also prevents any uncontrolled TempDB growth 
from impacting user databases. 


I: 








Eliminating specific trace flags 

Trace flags are commonly used by administrators to perform 
diagnostics or to change the behavior of SQL Server. With 
TempDB in earlier releases of SQL Server, administrators use 
trace flags 1117 and 1118 to improve performance. In SOL 
Server 2016, the effect achieved by enabling these two 
trace flags has been built into the database engine, 
rendering them unnecessary. 


Trace flag 1117 


Trace flag (TF) 1117 is related strictly to file groups and how 
data files grow within them. A file group is a logical 
container for one or more data files within a database. TF 
1117 forces all data files in the same file group to grow at 
the same rate, which prevents one file from growing more 
than others, leading to the hotspot issue described earlier in 
this chapter. Enabling this trace flag in earlier versions of 
SOL Server is a minor tradeoff in performance. For example, 
If you were using multiple data files in user databases, this 
trace flag affects them as well as TempDB's data files. 
Depending on your scenario, that could be problematic—an 
example would be if you had a file group that you did not 
want to grow as a single unit. Starting with SOL Server 2016, 
the behavior to grow all data files at the same rate is built 
into TempDB by default, which means you no longer need 
this trace flag. 


Trace flag 1118 


Administrators use trace flag 1118 to change page 
allocation from a GAM page. When you enable TF 1118, SQL 
Server allocates eight pages, or one extent, at a time to 
create a dedicated (or uniform) extent, in contrast to the 
default behavior to allocate a single page from a mixed 
extent. Unlike with TF 1117, there was no potential 
downside to enabling TF 1118—it is generally recommended 
for all SQL Server implementations in earlier releases. 
Starting with SQL Server 2016, all allocations of TempDB 
pages use uniform extent allocation, thus eliminating the 
need to use TF 1118. 


Query Store 


One of the most common scenarios you likely encounter is a 
user reporting that a query is suddenly running more slowly 
than in the past or that a long-running job that once took 3 
hours is now taking 10. These performance degradations 
could be the result of changes in data causing out-of-date 
statistics or changes in execution parameters or be caused 
simply by reaching a tipping point in hardware capabilities. 
In previous versions of SQL Server, troubleshooting these 
issues requires you to gather data from the plan cache and 
parse it by using XML Query (xQuery), which can take 
considerable effort. Even then, you might not have all the 
information you need, unless you are actively running traces 
to baseline the user’s environment. 


The new Query Store feature in SQL Server 2016 simplifies 
identification of performance outliers, manages execution 
plan regression, and allows for easier upgrades between 
versions of SQL Server. It has two main goals—to simplify 
identification of performance issues and to simplify 
performance troubleshooting for queries caused by changes 
in execution plans. The query store also acts as a flight data 
recorder for the database, capturing query run-time 


statistics and providing a dashboard to sort queries by 
resource consumption. This vast collection of data serves not 
only as a resource for the automated functions of the query 
store, but also as a troubleshooting resource for the DBA. 


This feature is one of the biggest enhancements to the SQL 
Server database engine since the introduction of dynamic 
management views (DMVs) into the database engine in SOL 
Server 2005. The query store gives unprecedented insight 
into the operations of a database. Whether you want to find 
the highest workloads in an instance, perform an in-depth 
analysis across executions of the same code, or fix a pesky 
parameter-sniffing problem, the guery store offers a vast 
metastore of data, allowing you to quickly find performance 
Issues. 


Enabling Ouery Store 


Ouery Store manages its metadata in the local database, but 
it is disabled by default. To enable it in SOL Server 
Management Studio (SSMS), open Object Explorer, connect 
to the database engine, navigate to the database for which 
you want to enable Ouery Store, right-click the database, 
select Properties, and then click Ouery Store in the Database 
Properties dialog box. You can change the Operation Mode 
(Reguested) value from Off to Read Only or Read Write. By 
selecting Read Write, as shown in Figure 4-3, you enable 
Ouery Store to record the run-time information necessary to 
make better decisions about gueries. 
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Figure 4-3: Enabling Query Store. 


You can also use the T-SQL ALTER DATABASE command to 
enable Query Store, as shown in Example 4-1. 

















Example 4-1: Enabling Query Store 


Click here to view code image 


ALTER DATABASE AdventureWorks2014 
SET QUERY STORE = ON 
( 
OPERATION MODE READ WRITE 
CLEANUP POLICY = ( STALE QUERY THRESHOLD DAYS = 5 ) 
DATA FLUSH INTERVAL SECONDS = 2000 
MAX STORAGE SIZE MB = 10 
INTERVAL LENGTH MINUTES = 10 


~~ - - - 
- 


Understanding Ouery Store components 


The guery store contains two stores: a plan store that 
persists the execution plans, and a run-time stats store that 
persists the statistics surrounding guery execution, such as 
CPU, I/O, memory, and other metrics. SOL Server retains this 
data until the space allocated to Ouery Store is full. To 
reduce the impact on performance, SOL Server writes 
information to each of these stores asynchronously. 


Note 


The default space allocation for Query Store is 100 
MB. 


You can use the following five dynamic management views, 
as shown in Figure 4-4, to return metadata and query 
execution history from the query store: 


* query store runtime stats Run-time execution 
statistics for queries. 
* query store runtime stats interval Start and end 


times for the intervals over which run-time execution 
statistics are collected. 


e query store plan Execution plan information for 
gueries. 


* query store query Query information and its overall 
aggregated run-time execution statistics. 


* query store query text Query text as entered by 
the user, including white space, hints, and comments. 
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Figure 4-4: Query Store DMVs. 


Reviewing information in the query store 


The change in query execution plans over time can be a 
troubleshooting challenge unless you periodically mine the 
procedure cache to capture query plans. However, plans 
might be evicted from the cache as a server comes under 
memory pressure. If you use real-time querying, you have 
access only to the most recently cached plan. By using 
Query Store, as long as it is properly configured, you always 
have access to the information you need. One way to review 
this information is by using the dashboard views available in 
SSMS when you expand the Query Store folder for the 
database node, as shown in Figure 4-5. By taking advantage 
of this data, you can quickly isolate problems and be more 
productive in your tuning efforts. 
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Figure 4-5: Query Store dashboards available in SSMS. 


After enabling Query Store for a database, you have access 
to the following four dashboards: 


* Regressed Queries Use this dashboard to review 
queries that might have regressed because of execution 
plan changes. The dashboard allows you to view the 


U E E m) ЕЕ 


queries and their plans as well as to select queries 
based on statistics (total, average, minimum, maximum, 
and standard deviation) by query metric (duration, CPU 
time, memory consumption, logical reads, logical writes, 
and physical reads) for the top 25 regressed queries 
over the last hour. 


* Overall Resource Consumption Use this dashboard 
to visualize overall resource consumption during the 
last month in four charts: duration, execution count, 
CPU time, and logical reads. You have the option to 
toggle between a chart view and a grid view of the 
query store data. 


* Top Resource Consuming Queries Use this 
dashboard to review queries in the set of top 25 
resource consumers during the last hour. You can filter 
the queries by using the same criteria available in the 
Regressed Queries dashboard. 

* Tracked Queries Use this dashboard to monitor a 
specify query. 

АП the dashboards except Overall Resource Consumption 
allow you to view the execution plan for a query. In addition, 
you have the option to force an execution plan at the click of 
a button in the dashboard, which is one of the most powerful 
features of the query store. However, the plan must still 

exist in the query plan cache to use this feature. 


You can customize Query Store dashboards to show more 
data or to use a different time interval. To do this, double- 
click a dashboard to open it, and then click the Configure 
button at the top of the dashboard to display and edit the 
configuration dialog box, as shown in Figure 4-6. 


Regression Criteria 
Check For Regression In: Based On: 
O CPU Time (us) 4 
(е) Duration (us) 
С) Logical Reads 
С) Logical Writes 
O Memory Consumption (KB) 
(O Physical Reads 





Time Format: (€) Local 
Return 

OAI (Тор 25 

Minimum Execution Count (Recent): 1 
Y Axis Column (Chart) 


additional duration workload || 








Figure 4-6: Configuring a Ouery Store dashboard. 


Alternatively, you can guery a DMV directly, which is a 
powerful approach for guickly isolating poorly performing 
gueries. Example 4-2 shows a T-SOL statement to return the 
poorest performing gueries over the last hour. 


Example 4-2: Finding the poorest performing 
queries over the last hour 


Click here to view code image 


SELECT TOP 10 rs.avg duration, qt.query sql text, q.query_id, 
gt.guery text id, p.plan id, GETUTCDATE() AS 
CurrentUTCTime, 
rs.last execution time 
FROM sys.guery store guery text AS gt 
JOIN sys.guery store guery AS g 
ON gt.guery text id = g.guery text id 
JOIN sys.guery store plan AS p 
ON g.guery id = p.guery id 
JOIN sys.guery store runtime stats AS rs 
ON p.plan id = rs.plan id 
WHERE rs.last execution time > DATEADD(hour, -1, 
GETUTCDATE ()) 
ORDER BY rs.avg duration DESC; 


Using Force Plan 


The generation of an execution plan is CPU intensive. To 
reduce the workload on the database engine, SOL Server 
generates a plan once and stores it in a cache. Generally, 
caching the plan is good for database performance, but it 
can also lead to a condition known as parameter sniffing. 
This condition occurs when a stored procedure is initially run 
with a given parameter against a table having a skewed 
number of values. You can use the guery store's Force Plan 
option to address this problem. 


To better understand parameter sniffing, consider an 
example in which you create a stored procedure like the one 
shown in Example 4-3. 





Example 4-3: Understanding parameter sniffing 


CREATE PROCEDURE sniff demo 
GPARAMETER1 INT 
AS 
UPDATE SNIFF TABLE 
SET value=2 
WHERE ID=GPARAMETER1; 


Now let's assume that you have a table such as the one 
shown here: 





In this simple example of skewed values in a table, seven 
values have an ID of 1, and one value has an ID of 2. If you 
first run this procedure with a parameter value of 2, the 
execution plan generated by the database optimizer is likely 
to be less than optimal. Then, when you later execute the 
procedure with a parameter value of 1, SQL Server reuses 
the suboptimal plan. 


Because skewed data might force your procedures into plans 
that are less than optimal for many queries, you have the 
opportunity to force the plan that is the best for all 
executions of a given stored procedure. While this approach 
might not offer the best performance for all values of a 
procedure's parameter, forcing a plan can give you more 
consistent overall performance and better performance on 


average. SQL Server honors plan forcing during 
recompilation for in-memory, natively compiled procedures, 
but the same is not true for disk-based modules. 


You can also unforce a plan by using either the Query Store 
interface in SSMS orthe sp query store unforce plan stored 
procedure. You might unforce a plan after your data changes 
significantly or when the underlying code changes enough 
to render the existing plan invalid. 


Managing the query store 


The query store is extremely helpful, but it does require 
some management. As we explained earlier in this chapter, 
the query store is not enabled by default. You must enable it 
on each user database individually. In addition, a best 
practice is to enable it on the model database. 


Note 


At the time of this writing, Query Store is not 
currently included in the Database Properties 
dialog box in SSMS for the model database. To add 
it, you must enable Query Store by using the 
following code: 


Click here to view code image 


ALTER DATABASE MODEL SET OUERY STORE=ON 


After enabling the guery store, you might need to change 
the space allocated to the guery store from the default of 
100 MB per database. If you have a busy database, this 
allocation might not be large enough to manage execution 
plans and their related metadata. When this space fills up, 
the guery store reverts to a read-only mode and no longer 
provides up-to-date execution statistics. 


The size of your guery store is also directly related to the 
statistics collection interval. The default for this value is 60 


minutes, but you can adjust її to a higher frequency if you 
need more finely grained data. However, capturing data at a 
higher frequency requires more space for the query store. 


Another setting to consider 15 size-based cleanup mode. By 
default, the query store converts to read-only mode when 
full. When you enable size-based cleanup, SQL Server 
flushes older queries and plans as new data comes in, 
thereby continually providing the latest data. Another 
option for space conservation 15 adjusting the capture mode 
of the query store from ALL to AUTO, which eliminates the 
capture of queries having insignificant compile and 
execution detail. 


Tuning with the query store 


After enabling the query store and collecting data over a 
baseline period, you now have a wealth of data and options 
to start troubleshooting performance issues. The query store 
allows you to spend more time troubleshooting problem 
queries and improving them, rather than on trying to find 
the proverbial needle in a haystack. A simple approach is to 
start troubleshooting queries on the basis of highest 
resource consumption. For example, you can look at queries 
consuming the most CPU and logical I/Os. After identifying 
poorly performing gueries, you can then consider the 
following options: 

e If multiple plans are associated with a query, identify 
the best-performing plan and use the Force Plan option 
to reguest it for future executions. 

* If you observe a large gap between the estimated rows 
and the actual rows in a query, updating statistics 
might help performance. 

• If query logic is problematic overall, work with your 
development team to optimize the query logic. 


Stretch Database 


One of the more common refrains in IT infrastructure 
organizations in recent years has been the high costs of 
storage. A combination of regulatory and business 
requirements for long-term data retention, as well as the 
presence of more data sources, means enterprises are 
managing ever-increasing volumes of data. While the price 
of storage has dropped, as anyone who owns enterprise 
storage knows, the total cost of ownership (TCO) for 
enterprise storage commonly used for databases 15 still very 
high. Redundant arrays of independent disks (RAID), support 
contracts, management software, geographical redundancy, 
and storage administrators all add to the high total cost of 
enterprise storage. 


Another factor in the cost of storage is the lack of support for 
online data archiving in many third-party applications. To 
address this problem, a common approach is to use file 
groups and partitioning to move older data to slower disks. 
Although this approach can be effective, її also comes with 
high managerial overhead because it involves storage 
administrators in provisioning the storage and requires 
active management of partitions. 


Perhaps more important than the TCO of enterprise storage 
is the impact of large databases and tables on overall 
administration and availability of the systems. As tables 
grow to millions and even billions of rows, index 
maintenance and performance tuning become significantly 
more complex. These large databases also affect availability 
service-level agreements as restore times can often exceed 
service-level agreements required by the business. 


SQL Server 2016 introduces a new hybrid feature called 
Stretch Database that combines the power of Azure SQL 
Database with an on-premises SQL Server instance to 
provide nearly bottomless storage at a significantly lower 


cost, plus enterprise-class security and near-zero 
management overhead. With Stretch Database, you can 
store cold, infrequently accessed data in Azure, usually with 
no changes to application code. All administration and 
security policies are still managed from the same local SQL 
Server database as before. 


Understanding Stretch Database architecture 


Enabling Stretch Database for a SQL Server 2016 table 
creates a new Stretch Database in Azure, an external data 
source in SQL Server, and a remote endpoint for the 
database, as shown in Figure 4-7. User logins query the 
stretch table in the local SQL Server database, and Stretch 
Database rewrites the query to run local and remote queries 
according to the locality of the data. Because only system 
processes can access the external data source and the 
remote endpoint, user queries cannot be issued directly 
against the remote database. 





Figure 4-7: Stretch Database architecture. 


One of the biggest concerns about cloud computing is the 
security of data leaving an organization's data center. In 
addition to the world-class physical security provided at 
Azure data centers, Stretch Database includes several 
additional security measures. If required, you have the 
option to enable Transparent Data Encryption to provide 
encryption at rest. All traffic into and out of the remote 
database is encrypted and certificate validation is 
mandatory. This ensures that data never leaves SQL Server 
in plain text and the target in Azure 15 always verified. 


The external resource that references the Azure SQL Stretch 
Database can only be used by system processes and is not 
accessible by users. (See Figure 4-8.) Furthermore, it has no 
impact on the underlying security model of a stretch table. 
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Figure 4-8: External resource for Stretch Database. 


The security model in your on-premises database has a 
couple of components. The first reguirement is to enable 
"remote data archive” for the instance. You will need to have 
either sysadmin or serveradmin permission. Once you have 
enabled this feature, you can configure databases for 
stretch, move data to your stretch database, and guery data 
in your stretch database. To enable Stretch Database at the 
individual database level, you must have the CONTROL 
DATABASE permission. You will also need ALTER privileges 
on the tables you are looking to stretch. 


As you would for a SOL Database that you provision 
manually, you must also create a firewall rule for the remote 
SOL Stretch Database database. That way, only safe IP 
addresses can connect to it. The creation of this firewall rule 
is part of the automation in the Stretch Database wizard if 
you enable your SQL Server database for stretch via SQL 
Server Management Studio. 


Identifying tables for Stretch Database 


Not all tables are ideal candidates for Stretch Database. In 
the current release, you cannot enable stretch for a table if it 
has any of the following characteristics: 


* More than 1,023 columns 

e Memory-optimized tables 

* Replication 

e Common language runtime (CLR) data types 
e Check constraints 

* Default constraints 

e Computed columns 


After eliminating tables with these characteristics from 
consideration, you have two options for identifying which of 
the remaining eligible tables in your environment are good 
candidates for stretching. First, you can use T-SQL to find 
large tables and then work with your application teams to 
determine the typical rate of change. A table with a high 
number of rows that are infrequently read is a good 
candidate. The other, more automated option is to use the 
Stretch Database Advisor, which is part of the SQL Server 
2016 Upgrade Advisor. This advisor checks the current 
limitations for Stretch Database and then shows the best 
candidates for stretching based on benefits and costs, as 
shown in Figure 4-9. 
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Figure 4-9: Analyzing candidates for Stretch Database in 
SQL Server 2016 Upgrade Advisor. 


The best applications for Stretch Database are systems for 
which you are required to keep cold data for extended 
periods. By working with your application teams to 
understand which of your systems fit these scenarios, you 
can implement Stretch Database strategically to meet 
business requirements while reducing overall storage TCO 
and meeting business SLAs. 


Configuring Stretch Database 


Before you can configure Stretch Database in SQL Server, 
you must have an Azure account in place and change the 
REMOTE DATA ARCHIVE configuration option at the SQL 
Server instance level. To make this change, execute the 
command shown in Example 4-4. 





Example 4-4: Changing the REMOTE DATA 
ARCHIVE configuration option 


Click here to view code image 


EXEC sp configure 'remote data archive', '1'; 
GO 
RECONFIGURE; 


You can then configure stretch, using the wizard that you 
launch by right-clicking the database in Object Explorer, 
pointing to Stretch, and clicking Enable. The wizard prompts 
you to supply a password for a database master key and 
select the table to stretch and then validates whether the 
table is eligible for stretch. Next, you sign in with your Azure 
credentials, select a subscription, and then select an Azure 
region. For performance reasons, choose the Azure region 
closest to your on-premises location. 


Next, you have the option to create a new server or use an 
existing server. There is no impact on your existing SQL 
Databases if you choose to use an existing server. Your next 
step is to provide administrator credentials for the new SQL 
Database and to create a firewall rule allowing your on- 
premises databases to connect to SQL Database. When you 
click Finish on the last page of the wizard, the wizard 
provisions Stretch Database and begins migrating data to 
the new SQL Database. 


Note 


As an alternative to using the wizard, you can 
perform the steps necessary to configure a 
database and a table for stretch by using T-SQL 
commands. For more information, see “Enable 
Stretch Database for a database” at 
https://msdn. microsoft. com/en- 
US/library/mt163698.aspx. 


Monitoring Stretch Database 


SQL Server 2016 includes a dashboard in SSMS to monitor 

Stretch Database. To view it, right-click the database name 

in Object Explorer, select Stretch Database, and then select 
Monitor to display the dashboard shown in Figure 4-10. 
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Figure 4-10: Monitoring Stretch Database in SSMS. 


In this dashboard, you can see which tables are configured 
for stretch in addition to the number of rows eligible for 
stretch and the number of local rows. In Figure 4-10, all rows 
are stretched. You can also change the migration state of a 
table. The default state is Outbound, which means data is 
moving into Azure. However, you can pause the migration of 
the data. 


Enabling Stretch Database also creates an Extended Events 
session called StretchDatabase Health. You can view the 
extended events associated with this session by clicking the 
View Stretch Database Health Events link above the Stretch 
Configured Tables section of the dashboard. Additionally, 


you can explore two DMVs associated with Stretch Database: 
sys.dm db rda migration status and 
sys.dm db rda schema update status. 


Note 


Most common problems you encounter with 
Stretch Database are likely to be network or 
firewall related. As your first troubleshooting step, 
work with a network administrator to ensure that 
you can reach your SQL Database over port 1433, 
which is a commonly blocked outbound port on 
many networks. 


Another monitoring tool at your disposal is the new Remote 
Query operator in the execution plan for a stretch table, as 
shown in Figure 4-11. SQL Server 2016 also includes the 
Concatenation operator to merge the results of the on- 
premises data with the remote query results. 
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Figure 4-11: Reviewing the execution plan for а stretch 
table. 


An important design pattern with Stretch Database is to 
ensure that your queries do not regularly retrieve 
unnecessary rows. Running poorly written queries against a 
stretch table can apply adverse performance. When 
troubleshooting performance issues on stretched tables, 
start your tuning effort as you would on a regular on- 
premises database. After eliminating issues related to your 





on-premises instance, examine the Azure portal to 
understand how the workload affects the stretch database. 


If your remote query performance is still not sufficient, you 
have several options for tuning. First, ensure that your 
remote database is in the Azure data center nearest your on- 
premises data center to reduce latency. Next, monitor the 
Azure portal to observe the performance characteristics of 
the underlying Azure database. You might need to increase 
the service tier of the SQL Stretch Database. Last, work with 
your network administrator to guarantee quality of service 
between your site and your remote database. 


Backup and recovery with Stretch Database 


Backup and recovery of a stretch-enabled database does not 
include the SQL Stretch Database containing your remote 
tables. Nonetheless, your data remains protected because 
SQL Stretch Database leverages the built-in backup features 
of SQL Database. Accordingly, SQL Database is constantly 
making full and transaction log backups. The retention 
period for these backups is determined by the service tier of 
the database. However, when you back up your on-premises 
database, you are taking a shallow backup. In other words, 
your backup contains only the data that remains on- 
premises and does not include the migrated data. 


To restore a database, follow these steps: 
1. Restore your on-premises SQL Server database. 
2. Create a master key for the stretch-enabled database. 


3. Create a database-scoped credential for your SQL 
Database. 


4. Run the restore procedure. 


Chapter 7. Better reporting 


For report developers, Reporting Services in SQL Server 
2016 has a more modern development environment, two 
new data visualizations, and improved parameter layout 
options. Users also benefit from a new web portal that 
supports modern web browsers and mobile access to reports. 
In this chapter, we'll explore these new features in detail. 


Report content types 


This release of Reporting Services includes both enhanced 
and new report content types: 


* Paginated reports Paginated reports are the 
traditional content type for which Reporting Services is 
especially well suited. You use this content type when 
you need precise control over the layout, appearance, 
and behavior of each element in your report. Users can 
view a paginated report online, export it to another 
format, or receive it on a scheduled basis by 
subscribing to the report. A paginated report can 
consist of a single page or hundreds of pages, based on 
the dataset associated with the report. The need for this 
type of report continues to persist in most 
organizations, as well as the other report content types 
that are now available in the Microsoft reporting 
platform. 


* Mobile reports In early 2015, Microsoft acquired 
Datazen Software to make it easier to deploy reports to 
mobile devices, regardless of operating system and 
form factor. This content type is best when you need 
touch-responsive and easy-to-read reports that are 
displayed on smaller screens, communicate key metrics 
effectively at a glance, and support drill-through to 
view supporting details. In SQL Server 2016, users can 


view both paginated and mobile reports through the 
web portal interface of the on-premises report server. 

* Key performance indicators (KPIs) A KPI is a 
simple type of report content that you can add to the 
report server to display metrics and trends at a glance. 
This content type uses colors to indicate progress 
toward a goal and an optional visualization to show how 
values trend over time. 


Paginated report development enhancements 


In this release of Reporting Services, the authoring tools for 
paginated reports work much like they did in previous 
releases, but with some enhancements. The first noticeable 
change is the overall appearance of the authoring tools. In 
addition, these tools have been augmented by the addition 
of new visualizations and a new interface for working with 
parameters. 


Introducing changes to paginated report 
authoring tools 

As in prior versions of Reporting Services, there are two 
methods for authoring paginated reports: 

* Report Designer A full-featured report development 
environment available as one of the business 
intelligence templates installed in the new SQL Server 
Data Tools for Visual Studio 2015 (SSDT). 

* Report Builder A standalone application that shares 
many common features with Report Designer. 


Report Designer 


Microsoft has released a new updated business intelligence 
template in SSDT that you download from 
http://go.microsoft.com/fwlink/?LinkID=690931. This 
business intelligence template includes an updated version 
of Report Designer that allows you to develop reports for 
multiple versions of Reporting Services. By default, you can 
develop reports for SQL Server 2016 Reporting Services or 
later, as shown in Figure 7-1, but you can change the 
TargetServerVersion property in the project's properties to 
target SQL Server 2008, SQL Server 2008 R2, SQL Server 
2012, or SQL Server 2014. Report authors may continue to 
use SQL Server Data Tools for Business Intelligence in Visual 
Studio 2013 to develop reports for these earlier versions, but 
the new features specific to SQL Server 2016 that we discuss 
later in this chapter are not supported. 























Configuration: | Active(Debug) Platform: Configuration Manager... 








4 Configuration Properties 
General 


OverwriteDatasets False 

OverwriteDataSources False 

Target Dataset Folder Datasets 

Target Data SourceFolder Data Sources 

TargetReport Folder My Report Project 
TargetReportPartFolder Report Parts 

TargetServerURL http-//localhost /reportserver 
TargetServerVersion SQL Server 2016 or later 


TargetReportFolder 
For a report server running in native mode, the path to the report folder, for example /Reports. For a report 
server running in SharePoint integrated mode, enter the URL of the SharePoint library for reports, for example... 


























Figure 7-1: A new default value for the 
TargetServerVersion property in the project's properties. 


Report Builder 


Report Builder is an alternative report-development tool for 
power users and report developers who need only to create 
or edit one report at a time. You can start the ClickOnce 
version of the Report Builder by clicking the Report Builder 
button on the web portal toolbar on your report server at 
http://« servername» /reports. You can also download and 
install a standalone version of Report Builder from 
https://www. microsoft. com/en- 
us/download/confirmation.aspx?id=49528 and then use the 
Windows Start menu to open it after installation. Previous 
versions of Report Builder use the light blue Office 2007 
appearance, but the most recent version of Report Builder, 
shown in Figure 7-2, uses the same darker theme that 
appears in both Office 2016 and the Power Bl Desktop 
application and continues to use a ribbon interface like 
Office applications. 
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Figure 7-2: New Report Builder interface. 


Exploring new data visualizations 


All data visualizations included in prior versions of Reporting 
Services continue to be available, but the SQL Server 2016 
version includes two new types of data visualizations: 


* Tree тар A tree map represents hierarchical 
categories as rectangles with relative sizes. 


* Sunburst A sunburst chart is a hierarchical 
representation of data that uses circles for each level. 


Тгее тар 


A tree map is useful to show how parts contribute to a whole. 
Each rectangle represents the sum of a value and 15 sized 
according to the percentage of its value relative to the total 
of values for all rectangles in the tree map. The rectangles 
are positioned within the tree map with the largest category 
in the upper-left corner of the parent rectangle and the 
smallest category in the lower-right corner. Each rectangle 
can contain another collection of rectangles that break down 
its values by another category that represents a lower level 
ina hierarchy. 


As an example, іп the tree map shown in Figure 7-3, the first 
level shows the United States as the largest category, 
followed by Canada, with the second largest category, and 
then progressively smaller rectangles are displayed for 
France, United Kingdom, Germany, and Australia. For each 
of these country categories, business type is the next lower 
level in the hierarchy, and rectangles for each distinct 
business type are displayed using the same pattern of 
largest to smallest from top left to bottom right within a 
country's rectangle. In this example, the largest business 
type in the United States 15 Value Added Reseller, followed 
by Warehouse, and then Specialty Bike Shop. 
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Figure 7-3: Tree map showing sales hierarchically by 
country and by business type. 


To add a tree map to your report, you use the same 
technique as you do for any chart. Whether using Report 
Designer or Report Builder, you insert a chart into the report 
by choosing Chart from the toolbox or ribbon, and then 
select Tree Map in the Shape collection of chart types in the 
Select Chart Type dialog box, as shown in Figure 7-4. 
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Figure 7-4: Selection of a tree map in the Select Chart 
Type dialog box. 


To configure the chart, click anywhere on its surface to open 
the Chart Data pane. Then click the button with the plus 
symbol to add fields to the Values, Category Groups, or 
Series Groups areas, as shown in Figure 7-5. The value field 
determines the size of a rectangle for category groups and 
series groups. Each series group field is associated with a 
different color and becomes the outermost collection of 
rectangles. For example, with SalesTerritoryCountry as a 
series group, each country is identifiable by color in the tree 
map. Within each country's rectangle, each distinct value 
within a category group is represented by a separate 
rectangle. In this case, each country's rectangle contains 


three rectangles—Specialty Bike Shop, Value Added 
Reseller, and Warehouse. The proportion of an individual 
business type's sales amount value relative to a country's 
total sales determines the size of its rectangle. 
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Figure 7-5: Configuring the Chart Data pane for a tree 
map. 


To improve the legibility of a tree map, you should consider 
making the following changes to specific chart properties: 


* Size You should increase the size of the chart because 
the default size, 3 inches wide by 2 inches high, is too 
small to view the data labels that are enabled by 
default. Click the chart object, but take care to click an 
element such as the Chart Title or a series in the chart, 
and then adjust the Size properties, Width and Height, 
in the Properties pane. 


e Legend To maximize the space of the chart area 


allocated to the tree map, consider moving the legend 
above or below the chart. To do this, right-click the 


legend, select Legend Properties, and then select one of 
the Legend Position options to reposition the legend. 


* Data labels Even after resizing the chart, you might 
find that the default 10 point font size used for the 
labels is too large to display labels in each rectangle or 
that the black font is difficult to read when the series 
color is dark. To reduce the size of the font and change 
its color to improve the visibility of the data labels, click 
the chart to display the Chart Data pane, click the field 
in the Values area, and then locate the Labels section in 
the Properties pane. When you expand this section, you 
can change font properties such as size and color as 
needed. 


Note 


The size of rectangles in a tree map might 
continue to affect the visibility of the data labels 
even if you reduce the font size to 6 points. If the 
smaller label text cannot fit within the width of its 
rectangle, the label is not displayed. 


* Tooltip One way to compensate for missing data 
labels in small rectangles, or to add more context toa 
tree map, is to add a tooltip, as shown in Figure 7-6. To 
do this, right-click a rectangle in the chart, select Series 
Properties, click the expression button next to the 
Tooltip box in the Series Properties dialog box, and type 
an expression such as this: 

Click here to view code image 





=Fields! BusinessType.Value + ": + 
Format(Sum(Fields! SalesAmount.Value), "C0") 








TAO Value Added Reseller : $625,523 | 





Figure 7-6: Tooltip displayed above a selected rectangle in 
a tree map. 


You can add more than one field to the Category Groups or 
Series Groups areas of the Chart Data pane. However, the 
meaning of the chart is easier to discern if you add the 
second field only to the Series Groups area so that different 
colors help viewers distinguish values, as shown in Figure 7- 
7. If you add a second field to the Category Groups area, 
more rectangles are displayed in the tree map, but it's more 
difficult to interpret the hierarchical arrangement without 
extensive customization of the tree map's elements. 
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Figure 7-7: Tree map displaying two series groups. 


Sunburst 


A sunburst chart is a type of visualization that is a hybrid of 
a pie chart, using slices of a circle to represent the 
proportional value of a category to the total. However, a 
sunburst chart includes multiple circles to represent levels of 
hierarchical data. Color is the highest level of a hierarchy if a 
series group is added to the chart, but it is not required. If no 
series group is defined, the innermost circle becomes the 
highest level of the hierarchy. Each lower level moves farther 
from the center of the circle, with the outermost circle as the 
lowest level of detail. Within each type of grouping, color or 
circle, the slices are arranged in clockwise order, with the 
largest value appearing first and the smallest value 
appearing last in the slice. 


As an example, in Figure 7-8, color is used to identify sales 
amount by year across all circles, with the largest color slice 


starting at the twelve o'clock position in the circle. At a 
glance, a viewer can easily see the relative contribution of 
each year to total sales and which year had the greatest 
number of sales. Next, the inner circle slices each color by 
country, again sorting the countries from largest to smallest 
in clockwise order. The outer circle further subdivides the 
countries by business type. In this example, some of the 


slices are too small for the labels to be displayed. 
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Figure 7-8: Example of a sunburst chart. 


To produce a sunburst, you insert a chart into the report and 
select Sunburst from the Shape collection of chart types. 
Click the chart to open the Chart Data pane and use the 
button with the plus symbol to add fields to the Values, 


Category Groups, or Series Groups areas, as shown in Figure 
7-9. The value field determines the size of a slice for 
category groups and series groups. Each series group field is 
associated with a different color and becomes the first 
division of the total value into proportional slices, although 
the inclusion of a series group is optional. Category groups 
then further subdivide values into slices, with the first 
category group in the list as the inner circle, and each 
subsequent category group added to the chart as another 
outer circle moving from the center. 
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Figure 7-9: Chart Data pane configured for a sunburst 
chart. 





As for a tree map, a sunburst chart's default properties are 
likely to produce a chart that is difficult to read. Therefore, 
you should consider modifying the following chart 
properties: 
* Size The minimum recommended size for a sunburst 
chart is 5 inches wide. Click the chart object (but not an 


element such as the Chart) and then increase the Size 
properties, Width and Height, in the Properties pane. 


* Legend More space is allocated to the sunburst chart 
when you move the legend above or below the chart. To 
do this, right-click the legend, select Legend Properties, 
and select one of the Legend Position options to 
reposition the legend. 


* Data labels Reducing the label size and changing the 
font color are likely to improve legibility. To fix these 
properties, click the chart to display the Chart Data 
pane, click the field in the Values area, expand the 
Labels section in the Properties pane, and change the 
font size and color properties. 


Note 


Some sunburst slices can still be too small for 
some data labels even if you reduce the font size 
to 6 points. 


* Tooltip To help users understand the values in a 
sunburst chart when data labels are missing from small 
slices, consider adding a tooltip by right-clicking a slice 
in the chart, selecting Series Properties, clicking the 
expression button next to the Tooltip box in the Series 
Properties dialog box, and then typing an expression 
such as this: 

Click here to view code image 
=Fields! BusinessType.Value + " : "+ 


Fields! SalesTerritoryCountry.Value + " : "+ 
Format(Sum(Fields! SalesAmount.Value), "C0") 


Managing parameter layout in paginated 
reports 


In previous versions of Reporting Services, there was no 
option for configuring the layout of parameters unless you 
designed a custom interface to replace Report Manager for 
accessing reports. Now in both Report Designer and Report 
Builder, you can use a Parameters pane to control the 
relative position of parameters and to organize parameters 
into groups. 


Note 


In Report Builder, you can change the visibility of 
the Parameters pane by selecting or clearing the 

new Parameters check box on the View tab of the 
ribbon. 


The new Parameters pane is a 4x2 grid that displays above 
the report design surface. To add a report parameter to the 
grid, you can continue to use the Report Data pane as you 
have in previous versions of Reporting Services. As an 
alternative, in the Parameters pane, right-click an empty cell 
and select Add Parameter, as shown in Figure 7-10, to open 
the Report Parameter Properties dialog box. Notice that the 
context menu that appears when you right-click a cell also 
includes commands to add or remove rows or columns, 
delete a parameter, or view a selected parameter's 
properties. 
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Figure 7-10: Adding a new parameter to a report by using 
the Parameters pane in Report Builder. 


Note 


When you add а report parameter by using the 
Parameters pane, the parameter is added 
automatically to the Report Data pane. You can 
easily access a parameter's properties by double- 
clicking itin either location. 


After adding a parameter, you can drag it toa new location. 
Consider using empty rows or columns to create groupings 
of parameters, as shown in Figure 7-11. 
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Figure 7-11: Using separate columns to group parameters 
in the Parameter pane. 


Note 


If you design a report with cascading parameters, 
the sequence of parameters in the Report Data 
pane remains important. Cascading parameters 
are a set of at least two parameters in which a 
child parameter's available list of values is 
dependent on the user's selection of another 
parameter value, the parent parameter. The 
parent parameter must be displayed above the 
child parameter in the Report Data pane. 


You cannot control the size of an unused parameter column, 
but the rendered report displays each column with enough 

separation to clearly distinguish groups, as shown Figure 7- 
12. You can create more separation between column groups 
by inserting another empty column in the Parameters pane. 
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Figure 7-12: Parameter groups in a rendered report. 


Mobile report development 


Mobile reports display data concisely for use on mobile 
devices. The acquisition of Datazen by Microsoft brings a 
suite of tools supporting the development of mobile reports 
into the Reporting Services platform, but these tools are 
currently in various states of integration. To create mobile 
reports, you use the SQL Server Mobile Report Publisher 
(which you can download from the Microsoft Store for 
Windows 8 and Windows 10). 


Note 


The Mobile Report Publisher is not available at the 
time of this writing. This section will be updated 
with more details about Mobile Report Publisher in 
the final version of this ebook. 


Mobile reports enable you to create data mash-ups from a 
variety of data sources. You can use the same data sources 
and shared data sets published to the report server to 
connect data to mobile report elements such as gauges and 
charts, among others. 


KPI development 


In the CTP 3.2 release of SOL Server 2016, you use the 
Reporting Services web portal to create KPIs. From the main 
portal page at http://< yourserver> /reports, click the Preview 
The New Reporting Services link at the top of the page, click 
New in the toolbar, and then click KPI. A new KPI screen is 
displayed, as shown in Figure 7-13. 
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Figure 7-13: Creating a new KPI. 





To configure a KPI, you specify up to four values: Value, the 
amount to monitor; Goal, the target amount to compare with 
Value; Status, a value to set the color of the background; 
and Trend, a set of values to visualize. For each of these 
values, you can set its value manually, associate it with a 
field in a shared dataset on the report server, or leave its 
value empty. (If you choose to use a shared dataset, 
remember that you can specify a cache refresh plan to 
update the KPl as frequently as necessary.) Last, you can 
choose to optionally include one of the following 
visualizations: column chart, line chart, step chart, or area 
chart. 


Note 


Datasets for Value, Goal, and Status must return a 
single row of data. If you choose to use a query for 
Status, the query must return -1 for red, O for 
amber, and 1 for green. A query for Trend must 
return a sorted set of one or more values for use as 
data points in the visualization. 


Report access enhancements 


The user-facing side of Reporting Services also benefits from 
several enhancements in this release. First, browser 
rendering and broader support has been upgraded to 
accommodate modern web standards. Furthermore, the 
ActiveX control is no longer required to print from the web 
portal. Next, users can export reports directly to PowerPoint. 
Last, the process of working with subscriptions in the web 
portal has been improved with several new capabilities to 
streamline and simplify subscription management. 


Accessing reports with modern browsers 


When Reporting Services was initially added to the SQL 
Server platform, it was optimized for Internet Explorer 5. 
Since then, web standards have changed. As a result, 
modern browsers that are optimized for newer web 
standards such as HTML5 and CSS3 have emerged and 
grown in popularity. But however popular these browsers 
might be for users on a day-to-day basis, earlier versions of 
Reporting Services do not render reports consistently in 
these browsers at best or do not render them at all at worst. 
In SOL Server 2016, Reporting Services is redesigned with a 
new renderer that supports HTML5 and has no dependency 
on features specific to Internet Explorer, so users can have a 
consistent experience across supported browsers. The 
following table shows the browsers currently supported by 
the latest version of Reporting Services by operating 
system: 








Browser 





Microsoft 
Edge 


Windows 
Server 
2012 and 
2012 R2 


Windows 
Server 
2008 R2 





for iPad 












Microsoft Yes 
Internet 
Explorer 10 
and 11 














Google | Yes 
Chrome 









Mozilla Yes 
Firefox 


















Apple Safari E 








Yes 


Regardless of which browser you use, the first time you 








attempt to open a report, an error message is displayed if 


you have not configured the browser to run scripts. In 


response to the message, you can click to continue to view 
the report without scripts. In that case, the report renders in 
HTML, but the features supported by the report viewer are 


not displayed, such as the report toolbar and the document 
map. 


Note 


Enhancing the renderer to work across all 
browsers is a huge undertaking. Despite extensive 
testing, it is possible that a particular combination 
of report elements that worked well in an earlier 
version of Reporting Services no longer renders 
properly. If you find that a report does not render 
correctly with the new rendering engine, you can 
click the Switch To Compatibility Mode link on the 
right side of the report viewer toolbar to revert 
rendering to Reporting Services' prior style of 
rendering. You can also click the Send Feedback 
button next to this link if you continue to have a 
problem rendering a report. Clicking this link 
opens the SQL Server Reporting Services Forum 
on MSDN, where you can use the Ask A Question 
button to create a post describing the problem 
you are experiencing. 


Not only is the rendering engine updated, but the Report 
Manager web application used for report access is no longer 
available. Instead, users access reports by using the new 
Reporting Services web portal, shown in Figure 7-14. The 
web portal includes a Favorites page on which you can 
organize reports by type: KPls, mobile reports, and 
paginated reports. You can switch to the Browse page to 
view reports by navigating through folders. 


MV (0.2487 00 А": 


КҰІЗГІІ AN 8.3200 172 | North America 





Figure 7-14: The home page of the new Reporting Services 
web portal displaying the Favorites tab. 


Note 


Mobile reports are not available in the new web 
portal in SQL Server 2016 CTP 3.2 but will be 
available in a future release of SQL Server 2016. 
This section will be updated in the final ebook. 


Viewing reports on mobile devices 


In addition to using the web portal to view mobile reports 
rendered as HTML5 pages in a web browser, you can also 

interact with these reports through a native user interface 
on the following major mobile platforms: 


* Windows 8 or later On your tablets and touch- 
enabled devices, you can use semantic zoom while 


viewing reports. In addition, you can pin dashboards 
and KPIs to the Start screen. 


* 1058 or later You can access published dashboards 
and KPIs while online and review KPI summary data 
when offline. 


Printing without ActiveX 


Earlier versions of Reporting Services require users to install 
ActiveX to enable a control in Internet Explorer that allows 
them to print a paginated report from the browser. However, 
for security reasons, many enterprise users do not have the 
necessary permissions to install software on their computers, 
including ActiveX controls. Furthermore, many modern 
browsers do not support ActiveX. Consequently, in SQL 
Server 2016, Reporting Services provides a new solution by 
generating a printer-friendly PDF version of the report with 
the option to override the default page size. 


When you click the printer icon in the report viewer toolbar, 
Reporting Services checks for the existence of the Acrobat 
PDF browser plug-in in Internet Explorer. If it does not exist, 
an error message prompts you to install the plug-in. 
However, if your browser does not have the plug-in, you are 
still able to print if you clear the error message. After you 
clear the error message, or if you are using a browser other 
than Internet Explorer, the Print dialog box is displayed, as 
shown in Figure 7-15. This dialog box allows you to adjust 
the paper size and page orientation by using the respective 
drop-down lists before printing your report. 
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Figure 7-15: Print dialog box for browser without PDF 
control. 











When you click the Print button in this dialog box in Internet 
Explorer, the operating system's Print dialog box displays 
more options for selecting which pages to print, the number 
of copies to print, and so on. If you choose to cancel at this 
point, the operating system's Print dialog box closes, and 
you then see another type of Print dialog box that displays a 
preview of the first page of your report, as shown in Figure 7- 
16. At the bottom of this dialog box is the Click Here To View 
The PDF Of Your Report link, which allows you to open your 
report in Acrobat Reader if it is installed on your computer. 
Otherwise, you can download the PDF to store it for later 
viewing once you have installed the necessary software. 


Print 


Print your report from the preview window below. 
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Figure 7-16: Print dialog box with option to view the PDF 
of your report. 


Note 


When you use Edge as your browser and click the 
Print button in Reporting Services' Print dialog 
box, another tab opens in the browser and 
displays your report because Edge has a built-in 
PDF viewer. 


In Chrome, when you click Print, a message 
appears and indicates that the report is being 
converted to PDF, and then Chrome’s Print dialog 
box displays. 


In Safari, a message indicates that your PDF file 15 
ready and includes the link Click Here To View The 
PDF Of Your Report. When you click the link, the 
PDF file downloads and the Preview application 
opens to display your report. 


Just as in prior versions, report server administrators can 
control whether users see the print icon in the report viewer 
toolbar. However, the Enable Download For the ActiveX 
Client Print Control check box is no longer available for this 
purpose when configuring report server properties because 
this control is no longer supported. Instead, you change one 
of the advanced properties that controls the presence of the 
print icon. To do this, open SOL Server Management Studio 
by using Run As Administrator, connect to the Report Server, 
right-click the server node, select Properties, select the 
Advanced tab in the Server Properties dialog box, and 
change the EnableClientPrinting property from its default 
setting of True to False. 


Exporting to PowerPoint 


One of the many benefits of Reporting Services is the ability 
to export a report to a variety of different formats, such as 
Excel or Word. In the SQL Server 2016 release, the list of 
available options is expanded to include another popular 
Office application, PowerPoint. When you click the Export 
button in the report viewer toolbar, you now see PowerPoint 
listed as an option, as shown in Figure 7-17. 
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Figure 7-17: Choosing PowerPoint as an option for 
exporting a report. 


Note 


You can also now use PowerPoint as a rendering 
format when configuring a subscription. 


When you select the PowerPoint export option from the list, 
the PPTX file downloads to your computer. You then have the 


option to save it or, if you have PowerPoint installed on your 
computer, to open the file. In general, each page of your 
report becomes a separate slide in PowerPoint, as shown in 
Figure 7-18, although some report items might span multiple 
slides. Just as you must factor in the rendered page size 
during report development if you know that users plan to 
export to PDF or Word, you must ensure report items can fit 
on a single PowerPoint slide where possible. Otherwise, the 
Reporting Services rendering engine will divide the report 
item into two or more smaller pieces and allocate each piece 
to a separate slide, as shown in the third and fourth 
PowerPoint slides in Figure 7-18, which collectively 
represents the third page of a report when the page is 
rendered in HTML. Notice that objects from a report do not 
consume the entire vertical space within a PowerPoint slide. 








Figure 7-18: A report rendered as a PowerPoint file. 


Note 


Although in an earlier section of this chapter we 
recommend placing legend items above or below 
a tree map or sunburst chart to maximize chart 
space, this recommendation is not applicable to 
reports that you plan to export to PowerPoint 
because the vertical space is more constrained. 


If you click the Enable Editing button that appears when 
PowerPoint opens the file, you can interact with the objects 
added to the file. For example, you can edit freestanding 
text boxes containing static text such as a report title or 
page numbers from the page header or footer. Report items 
such as a chart or a matrix are added as picture objects and 
cannot be edited, although they can be resized and 
rearranged by moving them to a different location on the 
same slide or copying and pasting them to a different slide. 


Pinning reports to Power Bl 


One of the ways that Reporting Services is integrating 
hybrid and on-premises reporting is a new feature that 
allows you to pin a report in the web portal to a Power BI 
dashboard. This capability has several requirements, 
however. You must be using Azure Active Directory (Azure 
AD), and the Power Bl dashboard that you want to use must 
be part of an Azure AD managed tenant. 


To enable this feature, your Windows login must be a 
member of the Azure AD managed tenant and also be the 
system administrator for both Reporting Services and the 
database hosting the Reporting Services databases. Using 
these administrative credentials, launch Reporting Services 
Configuration Manager, click the Power Bl Integration tab, 
click the Register With Power BI button, and provide your 
Power BI login details. 


Before you can pin a report to the dashboard, it must be 
configured to use stored credentials and SQL Server Agent 
must be running because Power Bl uses a Reporting Services 
subscription to manage the scheduled refresh of the report. 
Furthermore, you can pin a report that contains only charts, 
gauges, or maps that are not nested inside other report 
items. To pin a report meeting these requirements, open the 
report in the web portal and click the Pin To Power В! 
Dashboard button in the web portal toolbar. A sign-in dialog 
box is displayed in which you must supply your Power Bl 
login credentials. The first time you pin a report, another 
dialog box asks for permission to update your Power Bl app. 
Next, items in your report that are eligible for pinning are 
displayed in the browser. Click the item, select a dashboard, 
and then choose an hourly, daily, or weekly frequency for 
updating the report, as shown in Figure 7-19. 
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Figure 7-19: Selecting a dashboard for pinning a report. 


A dialog box confirms the success or failure of the operation. 
If the pinning operation succeeds, you can click a link in the 
dialog box to open a web browser window and view your 
dashboard in Power Bl. Your report shows as a tile in the 
dashboard, as shown in Figure 7-20, and will refresh 
periodically according to the schedule you set. When you 


click the report tile in the dashboard, a new browser window 
opens to display your report in the web portal from the 
report server from which it originated. 
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Figure 7-20: Displaying a Reporting Services report as a 
report tile in a Power Bl dashboard. 


Managing subscriptions 


Subscription functionality does not change in SQL Server 
2016 in general. You still configure subscriptions to deliver 
reports to named recipients or to a designated file share. 
However, there are a few new subscription-management 
features that we explore in this section: 


* Subscription description You can include a 
subscription description when creating or changing a 
subscription, which makes it easier to identify a specific 
subscription when many exist for a single report. 


* Subscription owner change After adding а 
subscription to the report server, you can easily change 
its owner. 


* Interface support for changing subscription 
status Whether you have one or many subscriptions 
set up on the server, the web portal interface now 
includes Enable and Disable buttons to quickly change 
the status of subscriptions. 


* File share credentials File share subscriptions have 
a new option to use administrator-defined credentials to 
add files to a file share. 


Subscription description 


The subscription definition page now includes a 
Subscription Properties section, as shown in Figure 7-21, 
that is displayed when you create or edit a subscription. You 
can use this description to distinguish this subscription from 
others, which is helpful when you have several subscriptions 
associated with a single report. For example, use this column 
to describe recipients, the schedule, the delivery type, and 
other report delivery options so that you no longer have to 
edit the subscription to determine its settings. 
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Description: [Weekly delivery of My sales report | 





Owner: 
Report Delivery Options 
Specify options for report delivery. 





Delivered by: | Windows File Share V 


























File Name: |му sales report | 
Y] Add a file extension when the file is created 

Path: \\teamserver\sales reports] z 

Render Format: | PowerPoint ~| 


Figure 7-21: A portion of a subscription definition showing 
the new Subscription Properties section. 


When you add a description to a subscription, the 
description is displayed in the web portal on the 
Subscriptions page that you can access for a specific report 
or on the My Subscriptions page, where you can see all 
reports for which you have created subscriptions, as shown 
in Figure 7-22. You can sort subscriptions by the Description 
column by clicking the column header. 
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Figure 7-22: My Sheen Hon page in the web portal with 
a new column for the subscription description. 











Subscription owner change 


By default, the user credentials are set as the owner of a 
subscription when a new subscription is created and cannot 
be changed during subscription creation. In prior versions of 
Reporting Services, a change of owner was possible only 
programmatically. Now you can edit a subscription in the 
web portal to change its owner. This feature is particularly 
helpful when users change roles in an organization. Both the 
current owner and the report server administrator have 
permissions to change the owner when editing the 
subscription in the web portal. 


Note 


This feature is available in both native and 
SharePoint-integrated modes. 


Interface support for changing subscription status 


In previous versions of Reporting Services, you can pause 
and resume a schedule to control when related subscriptions 
are active. Now there are an Enable and a Disable button in 
the web portal toolbar when you view subscriptions for an 
individual report or view the My Subscriptions page. This 
capability allows you more fine-grained control over the 
execution of specific subscriptions. When you disable a 
subscription, the icon to the left of the subscription displays 
a warning symbol and the Status column value changes to 
Disabled, as shown in Figure 7-23. 
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Figure 7- 23: My Subo ens Jade in the web portal 
displaying a disabled report. 


Note 


This feature is available in both native and 
SharePoint-integrated modes. 


File share credentials 


Rather than instructing users how to define credentials 
required to save a subscription to a file share, report server 
administrators can configure the report server to use a 
single domain user account that users can select when 
defining a file share subscription. To do this, open Reporting 
Services Configuration Manager and access the new 
Subscription Settings page. You enable this feature by 
selecting the Specify A File Share check box and adding a 
domain user account and password, as shown in Figure 7-24. 
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Figure 7-24: Subscription Settings page in Reporting 
Services Configuration Manager. 





Note 
This feature is available only in native mode. 


When this feature is enabled, the user can choose to 
associate the configured file share account with a 
subscription when setting the report delivery options for a 
file share subscription, as shown in Figure 7-25. Using this 
file share account is not reguired, however. The user can 
instead select Use The Following Windows User Credentials 
and supply the domain user name and password. 


Credentials used — | 
to access the file |” Use file share account 


share: O Use the following Windows user credentials 
User Name: 
Password: 


Figure 7-25: The Use File Share Account option when 
configuring a file share subscription. 
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USE [Samples] 

GO 


CREATE COLUMN MASTER KEY MyKey 
WITH 


KEY STORE. PROVIDER. NAME = N'MSSQL CERTIFICATE. STORE' 
KEY PATH = N'CurrentUser/My/DE3A770F25EBD6071305B77FB198D1AE434E6014' 


GO 


USE [Samples] 
со 

CREATE COLUMN ENCRYPTION KEY [MyColumnKey] 

WITH VALUES 

( 

COLUMN MASTER KEY DEFINITION - [MyKey]. 

ALGORITHM = 'RSA OAEP', 

ENCRYPTED. VALUE - 
0x016E008000630075007200720065006E00740075007300650072002F006D0079002F006400650033006100370037003 
0006600320035006500620064003600300037003100330030003500620037003700660062003100390038006400310061 
006500340033003400650036003000310034004D74119935C902E59F57A96C3E6F770826D247135FFFA759B5B013DF4DA 
F7CFB760A5864DD8381B91924D067BE4F574B50DE7F0D53F278E1C003B5D192865B808C1590224F4A4BB463255101C36D 
3089F46609B376D7BO0FA9F9CEAF715398EECAB790AC6EC8BD18C17B3EB992CAEO8FEA6A2F5A2BDDA4F5A700744E45861 
F993A3C488127E5897B30892DD2734DD5D84F096882A393D5877C5A20E392888FE0357F46DB578AEB4C677CFFCE228127 
6C4D12F3ESAC3BCCCO9B78BBOE522D86F9B2CF989F14695B7CB95A478194ECBD175B5C7C1687B7589FD9145B2782CBOBB 
AB6F7FSBOAC7F8C256EBOD3D87ABAE4F73137FA4AFA387B791854AC503B53271D 
ЈЕ 
GO 


CREATE TABLE [dbo] . [Customers]: 
[CustomerId] [int] IDENTITY(1,1), 
[TaxId] [varchar](11) COLLATE Latin1 General BIN2 
ENCRYPTED WITH (ENCRYPTION TYPE = DETERMINISTIC, 
ALGORITHM = 'AEAD AES 256 CBC HMAC SHA 256', 
COLUMN ENCRYPTION KEY = MyColumnKey) NOT NULL, 
[FirstName] [nvarchar](50) NULL, 
[LastName] [nvarchar](50) NULL, 
[MiddleName] [nvarchar](50) NULL, 
[Address1] [nvarchar](50) NULL, 
[Address2] [nvarchar](50) NULL, 
[Address3] [nvarchar](50) NULL, 
[City] [nvarchar](50) NULL, 
[PostalCode] [nvarchar](10) NULL, 
[State] [char](2) NULL, 
[BirthDate] [date] 
ENCRYPTED WITH (ENCRYPTION_TYPE = RANDOMIZED. 
ALGORITHM = 'AEAD AES 256 CBC HMAC SHA 256', 
COLUMN ENCRYPTION KEY = MyColumnKey) NOT NULL 
PRIMARY KEY CLUSTERED ([CustomerId] ASC) ON [PRIMARY] 
GO 


de 


Column Encryption Setting=enabled 


INSERT INTO NewTable SELECT * FROM OldTable; 


CREATE FUNCTION dbo.fn Orders(GSalesRep AS sysname) 
RETURNS TABLE 

WITH SCHEMABINDING 

AS 
RETURN 

SELECT 1 AS fn Orders result 

WHERE @SalesRep = USER МАМЕ(); 

GO 


CREATE FUNCTION dbo.fn OrderDetails(eorderId AS int) 
RETURNS TABLE 
WITH SCHEMABINDING 
AS 
RETURN 
SELECT 1 AS fn Orders result 
FROM Orders 
WHERE OrderId = @Orderid 
AND SalesRep = USER NAME(); 
GO 


CREATE FUNCTION dbo.fn_Orders(GSalesRep AS int) 
RETURNS TABLE 
WITH SCHEMABINDING 
AS 
RETURN 
SELECT 1 AS fn Orders result 
WHERE GSalesRep = CONVERT(SESSION CONTEXT(N'UserId') AS int); 


GO 


CREATE PROCEDURE GetOrder 
GOrderId int, 
aUuserId int 
AS 
EXEC sp set session context Gkey-N'UserId', Gvalue-GUserId; 
SELECT * 
FROM Orders 
WHERE OrderId = GOrderId; 
GO 


CREATE SECURITY POLICY dbo.OrderPol1cy 
ADD FILTER PREDICATE dbo.fn Orders(SalesRep) ON dbo.Orders 
WITH (STATE-ON) ; 


CREATE SECURITY POLICY dbo.OrderPolicy 
ADD FILTER PREDICATE dbo.fn Orders(SalesRep) ON dbo.Orders, 
ADD FILTER PREDICATE dbo.fn OrderHistory(OrderId) ON dbo.OrderHistory 
WITH (STATE = ON); 


CREATE SECURITY POLICY dbo.OrderPolicy 
ADD FILTER PREDICATE dbo.fn_Orders(SalesRep) ON dbo.Orders, 
ADD BLOCK PREDICATE dbo.fn Orders(SalesRep) ON dbo.Orders AFTER INSERT, 
ADD BLOCK PREDICATE dbo.fn Orders(SalesRep) ON dbo.Orders AFTER UPDATE 
WITH (STATE = ON); 


CREATE TABLE [dbo] . [Customer]: 
[CustomerId] [int] IDENTITY(1,1) NOT NULL, 
[TaxId] [varchar] (11) MASKED WITH (FUNCTION = 'default()'), 


[FirstName] [nvarchar](50) MASKED WITH (FUNCTION = 'partial(3, "xyz", 1)') NULL, 
[LastName] [nvarchar](50) NULL, 

PRIMARY KEY CLUSTERED 

( 


[CustomerId] ASC) 


) ON [PRIMARY]; 
GO 


ALTER TABLE [dbo]. [Customers] 
ALTER COLUMN [LastName] ADD MASKED WITH (FUNCTION = 'default()'5; 


ALTER TABLE [dbo].[Customers] 
ALTER COLUMN [LastName] DROP MASKED; 


ALTER DATABASE AdventureWorks2014 
SET QUERY_STORE = ON 
( 
OPERATION_MODE = READ_WRITE 
, CLEANUP_POLICY = ( STALE_QUERY_THRESHOLD_DAYS = 5 ) 
, DATA_FLUSH_INTERVAL_SECONDS = 2000 
, MAX_STORAGE_SIZE_MB = 10 
, INTERVAL_LENGTH_MINUTES = 10 
2; 


SELECT ТОР 10 rs.avg_duration, gt.guery sgl text, g.guery 1d, 
qt.query text id, p.plan id, GETUTCDATEQ AS CurrentUTCTime, 
rs.last execution time 

FROM sys.guery store guery text AS gt 

JOIN sys.query store query AS g 
ON qt.query text id = g.guery text id 

JOIN sys.guery store plan AS p 
ON g.guery id = p.guery id 

JOIN sys.guery store runtime stats AS rs 
ON p.plan id = rs.plan id 

WHERE rs.last execution time > DATEADD(hour, -1, GETUTCDATE()) 

ORDER BY rs.avg duration DESC; 


ALTER DATABASE MODEL SET QUERY_5TORE=0N 


EXEC sp configure ‘remote data archive", '1'; 
GO 

RECONFIGURE; 

GO 


=Fields!BusinessType.Value + " : " + Format(Sum(Fields!SalesAmount.Value), "СО") 


=Fields!BusinessType.Value + + Fields!SalesTerritoryCountry.Value + " : " + 
Format (Sum(Fields!SalesAmount.Value), "СО") 


